SoylentNews is people
SoylentNews
So yeah. Trolls convinced me to Let's Encrypt. Everybody has to Let's Encrypt or get trolled into oblivion. Trolls just repeat the same dumb talking points from some Mozilla blog. Apparently HTTP was deprecated back in 2015. Apparently HTTP is going away forever in a matter of months. Five years ago. Or something. Who wants to argue with trolls. Right?!
I figured I'd make notes. I'm gonna strap on some SSL to a plain HTTP server. I'm using php -S for HTTP and socat for SSL.
# apt-get install sudo
sudo apt-get update;sudo apt-get install php-cli socat
mkdir -v encrusted-ht.ml
echo '<html><head><title>Encrusted HTML</title></head><body><p>Hello Web</p></body></html>' > encrusted-ht.ml/index.html
( ( sudo -u nobody php -S 127.0.0.1:8080 -t encrusted-ht.ml ) & )
mkdir -v redirect
cat > redirect/redirect.php <<eof
<?php
if (preg_match('/^\/\./', \$_SERVER["REQUEST_URI"])) {
return false;
} else {
header("Location: https://" . \$_SERVER["HTTP_HOST"] . \$_SERVER["REQUEST_URI"], true, 301);
}
?>
eof( ( sudo -u nobody php -S 0.0.0.0:8888 -t redirect redirect/redirect.php ) & )
sudo iptables -t nat -A PREROUTING -p tcp --syn --dport 80 -j REDIRECT --to-ports 8888
git clone https://github.com/acmesh-official/acme.sh acme.sh.git
mkdir -v .acme.sh;chmod -v 700 .acme.sh;cp -ipv acme.sh.git/acme.sh .acme.sh
.acme.sh/acme.sh --issue -d encrusted-ht.ml -d www.encrusted-ht.ml -w redirect
( ( socat -d -d openssl-listen:4444,cert=.acme.sh/encrusted-ht.ml/encrusted-ht.ml.cer,key=.acme.sh/encrusted-ht.ml/encrusted-ht.ml.key,cafile=.acme.sh/encrusted-ht.ml/ca.cer,verify=0,fork,keepalive,linger=60,nodelay,reuseaddr tcp:127.0.0.1:8080,keepalive,linger=60,nodelay ) & )
sudo iptables -t nat -A PREROUTING -p tcp --syn --dport 443 -j REDIRECT --to-ports 4444
When does something interesting happen???
Well that was pointless. Let's Encrypt issues me a certificate for existing. It's snake oil and I might as well sign my own certificate. But oh no self signing would be self-signed and that's bad. Because reasons. Let's Encrypt has to sign my certificate otherwise I'm not trustworthy enough. But Let's Encrypt is fully automated crap that trusts everyone. It's snake oil.
I'm convinced! Let's Encrypt is simply a social movement for trolls.
(Score: 0) by Anonymous Coward on Saturday July 25 2020, @11:27PM (4 children)
Hashing 3rd party scripts isn't intended to prevent mitm attacks and ssl does nothing to protect against resources loaded from compromised 3rd party servers. [zdnet.com]
We can add a size attribute which limits that but for the purposes of demonstration you can just post your md5:6808001159bb2620d547629952fb40a8 script below to convince me.
(Score: 3, Touché) by Bot on Sunday July 26 2020, @12:26AM (2 children)
document.write('md5:6808001159bb2620d547629952fb40a8')
duh
Account abandoned.
(Score: 0) by Anonymous Coward on Sunday July 26 2020, @01:05AM
816f83a334b14f50310b1a9530848ce4 != 6808001159bb2620d547629952fb40a8
(Score: 2) by FatPhil on Monday November 16 2020, @10:54AM
However, for your next quazillion attempts, can you keep the failures to yourself until you actually find a match, please, to keep the noise down on SN?
Upmodder: bad boy! I'm out at the moment, and can't counter it, so will just counter the bogosity with facts instead.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday July 26 2020, @04:27AM
Way to get that exactly backwards. Almost like you got my point and decided to reverse it in order to easier strawman it.
And post the original script with that hash, as the attackers don't have to birthday a script out of nowhere.