NTP/NTS, GP/PS, Clonezilla, DNS/CAA, DNSSEC, Nginx

  • Cloudflare Time Service - Supports: Network Time Protocol (NTP) @ Wikipedia, Network Time Security (NTS) @ IETF and Roughtime @Google and Roughtime @Cloudflare. Nice one more global NTP service provider, if you need one. Of course their blog post about secure time @ Cloudflare- is also a great read with the history lessons. TLS key extraction, nice. NTS-KE uses client side cookies in a nice way to provide authentication. Ref: "NTS Key Establishment" protocol (NTS-KE). With Ubuntu it's trivial to use this service with timesyncd. No need for ntp.conf to be used, if syncing every now and then is enough. There's also ntpsec package available for Ubuntu. Finally - Cloudflare time-services page for developers.

  • Had fun while learning how to manage Group Policies using PowerShell scripts. As usual, it's very messy thing. But after long testing I found out a way. As example Get-GPO or Get-PolicyFileEntry do not work at all. Also the settings in group policy and registry do not match etc. This is just like many things with Linux. Extreme mess. Why did I bother? Because it seems that new installations of Windows 2019 Server require manual updates. Which pretty much guarantees that the systems will lack updates forever. I really don't know if this is a good idea. I would say it's an really bad idea. But many admins seem to prefer it that way. And then people keep wondering why systems remain unpatched for a decade. Of course those do. It's totally normal and obvious end result. Only small number of the servers get patched when there are some "extreme wormable threat", otherwise nobody bothers. And even if they bother, they forget to update half of the systems.

  • Clonezilla @ Wikipedia - Software quality, it's everywhere. Tried latest Stable Clonezilla with Ubuntu 19.10 Eoan Ermine. Guess what, it doens't work. Clonezilla issues invalid command-line while mounting /home/partimag from NTFS volume and enters infinite loop issuing invalid commands. Awesome and at the same time so typical. It seems that probably nobody has ever tested such configuration. - Nothing new, everything is so broken, and it's just normal. Decided to use full Clonezilla image instead of installing Clonezilla from package repositories, if that would work slightly better. Only annoyance with that is the DL server which are extremely slow, around 200 KB/s, so it takes around 20 minutes to download the software. - Sigh. Yet I guess we all know how hard it is to maintain software which should support countless operating systems, versions and distributions. Annoying small breaking changes everywhere. It's painful. Even just to deal with different Windows versions alone.

  • Lots of stuff dealing with security clearances @ Wikipedia. So much enjoyable bureaucracy.

  • Configured DNS Certification Authority Authorization (CAA) records for all systems. This helps with the certificate security, a bit. But still, personally confirmed fingerprint is still better than trust by any third party. Interestingly Cloudflare doesn't seem to use CAA records for domains which utilize Cloudflare universal SSL. That's strange, I would have expected that. Similar to the problem with some providers when DS records are missing, even if they're in control of the domain. It would be trivial to at least ask the user if they want the records to be auto configured. Their documentation seems to suggest the CAA records would be auto-configured, but that doesn't seem to be true. So typical, don't trust documentation, it's disinformation. Always verify everything. If only iodef is added then Cloudflare does inject bunch of other CAA records which are then visible. Most interesting.

  • It seems that Google doesn't really like DS records or DNSSEC. I prefer layered security, every possible system should be used if it doesn't cause excess trouble. Yet clients aren't supposed to check CAA records. This means that this won't affect at all or stop malicious certificate issuers.

  • Some issues with Nginx, because it's clearly broken. You can't prefer CHACHA20 with servers which do not have AES-NI. But it seems that this issue is temporary and will be fixed with newer versions. There are several patches for this issue, which only confirms that the issue is very real. Why would anyone make a patch for non-issue? All current options only affect TLSv1.2 if I want to prefer TLS1.3 with CHACHA20_POLY1305_SHA256 then I've got a problem. Yes, I've got server cipher suites preferred, of course. It seems that Cloudflare made a fix, where CHACHA20 is only preferred, if client also prefers it. But somebody seemed to forget that there are also servers which do not have AES-NI support. I didn't expect the bug to be so bad, even if I enable only cipher suite TLS13-CHACHA20-POLY1305-SHA256, still AES/GCM gets negotiated. Let's add !EECDH+AESGCM and let's see... Whatever I do, I'm unable to disable AES/GCM and it's preferred over CHACHA20. Annoying bad logic, no proper options, it required me to patch the code and rebuild the binary to fix it. - Done and working.

  • Notes: Just today I noticed that LibreOffice supports OpenPGP encryption, amazing. Great.

2020-10-25