TLS (HTTPS), 0-RTT, SSH, Snopyta, Outlook, SimpleLogin, IPv4

  • Disabling TLS 1.0 and TLS 1.1? So much joy, so many systems just get broken. It's amazing how many systems prefer these out dated protocols. Yet this is of course simply resolveable by updating the clients. Which might not be so simple after all. Leads to again to this funny dilemma. Because TLSv1.0 is so "insecure", it's probably better to disable encryption completely and use clear plaintext. In that case we don't have outdated encryption protocol related security issues. - Ugh, the way to go.

  • TLS 1.3 0-RTT session resumption @ Cloudflare Blog - Nothing new, but a great summary about the topic including QUIC @ Cloudflare Blog which is about to come HTTP/3 (h3) with changes. RFC8470 - Early-Data, HTTP status code 425 Too Early. More details in Session Resumption Protocols and Efficient ForwardSecurity for TLS 1.3 0-RTT. Excellent document, confirmed my thoughts about 0-RTT not providing Forward Secrecy. kw: STEK, Session Ticket, Session Caches, Resumption Secrets, TLS, QUIC

  • Salvaged a few computers being trashed. Intel i5 / 3.7 GHz, 250 GB SSD and 8 GB of RAM. I've got friends who are buying new computers with similar or worse specs than what are being thrown out as trash.

  • Found out that in SSH configuration IPv6 addresses and interfaces are required to be without brackets [ip%interface] doesn't work. Or sure, it doesn't give you any error, but it doesn't match. This is exactly the classic fail scenario, you'll do settings, but do not actually verify that the settings you did really work. Classic. Well, I did verify and found out that the rules are only applied without the brackets but using brackets does not raise an configuration error.

  • Decided to join Snopyta @ Snopyta.org email beta program. Just to check if everything is good. After testing everything, checking configuration, reading mail headers, checking spf and dkim, everything looks good to me. Good job! SMTP / IMAPS used TLS 1.2.

  • Outlook & Microsoft engineering. Once again, they've screwed things up. When using custom domain, bounces do not work, because they don't route bounces correctly. Over and over again Outlook is fked up. Even 100% amateur run services work and are configured a lot better. Also changing the default sender doesn't seem to work currently. Hail Microsoft - "We were unable to make xyz @ example.com your primary alias. Please try again later." - Also the FIDO2 Passwordless login is still broken. - Come on, it's not that hard. About Outlook and their hopeless administration legendary failures series. It seems that when non-outlook domain is used as alias, the outbound messages still get from in form useraccount_hexcode@outlook.com. Yep, you guessed right, they didn't manage to get that right. Outlook is so broken on so many aspects. Amazing job guys.

  • Reported a few minor usability issues like kind of hard to use login form on SimpleLogin service. Again, login page design was fixed in hours (i think) this time. Anyway, next morning all the issues I mentioned were fixed. Quite a nice contrast compared to the previous bullet point.

  • RIPE NCC @ Ripe.net run out of IPv4 addresses finally. We've been waiting for it to happen. So it's kind of not news. But it was interesting to read discussions how bad IPv6 is and how much people want to be using IPv4 in future.

  • Watched in the age of artificial intelligence (AI) documentary, which covered the changes we're going to see in due to AI development. Also studied AlphaGo Zero, which did beat won 1000 games against the world best artificial intelligence Go player, AlphaGo. Also the AlphaGo Zero trained only against itself, without using human player input at all.

2020-11-08