Stories
Slash Boxes
Comments

SoylentNews is people

Meta
posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by pTamok on Thursday August 25 2016, @01:10PM

    by pTamok (3042) on Thursday August 25 2016, @01:10PM (#392965)

    Thank-you for continuing to scratch your itches publicly in useful ways.

    As for the suggestion: maybe it might be a useful addition to allow votes or moderation on articles? You can probably get substantively the same information from page-views, but having explicit upvotes and downvotes on articles gives a quick pointer to topics and/or articles that people care about/generate traffic. I'm not suggesting ranking articles in order of popularity, or making unpopular ones invisible - just give a lazy method of feedback that is easy to collate, rather than writing a comment. Feel free to ignore, shoot down in flames, or point out it has been discussed before and rejected.

    • (Score: 2) by Gaaark on Thursday August 25 2016, @01:30PM

      by Gaaark (41) on Thursday August 25 2016, @01:30PM (#392982) Journal

      Yes, I like the upvote idea. As an occasional submitter (which I'm hoping to get back to soon... so busy) that kind of feedback let's you know if you're submitting stuff people want to read, but maybe not comment much on.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 2, Insightful) by Anonymous Coward on Thursday August 25 2016, @01:14PM

    by Anonymous Coward on Thursday August 25 2016, @01:14PM (#392973)

    Don't slashdot yourself.

    • (Score: 0) by Anonymous Coward on Thursday August 25 2016, @01:40PM

      by Anonymous Coward on Thursday August 25 2016, @01:40PM (#392984)
      • (Score: 2) by NCommander on Thursday August 25 2016, @07:01PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @07:01PM (#393143) Homepage Journal

        DDOS attacks against DNS aren't anything new;its an inherent problem in UDP. Hell, you could already get a reply like that against some cloudflare servers just asking for the NS set without DNSSEC.

        ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

        --
        Still always moving
        • (Score: 0) by Anonymous Coward on Friday August 26 2016, @06:39AM

          by Anonymous Coward on Friday August 26 2016, @06:39AM (#393371)

          ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

          Which is the proper approach, either from a technical or liability/moral perspective?

          The only reason I can imagine ISPs not wanting to drop bad traffic leaving their network is due to the work involved, either man-hours or equipment processing load.

          Giving UDP an overhaul seems like trying to close the barn door after the horse has left. In hindsight, designing UDP to make DDoS attacks more difficult seems like a good idea, but my mind boggles at how much stuff would break if the protocol itself was heavily changed. By contrast, nothing stops the system making use of UDP to demand its own syn/ack type of handshake before dumping data back at the source IP...

        • (Score: 0) by Anonymous Coward on Friday August 26 2016, @09:49AM

          by Anonymous Coward on Friday August 26 2016, @09:49AM (#393415)

          ISPs need to prevent obviously bad traffic from their network, or UDP needs an overhual.

          Neither looks likely to happen soon.

          How large are the replies you get for an NS query from cloudflare servers? I'm getting about 500+ bytes for a 70+byte NS query which is an amplification of 7-8x.

          I got 1514 bytes for a 70 byte query from this: dig +bufsize=65535 +notcp +ignore . ANY
          Which is an amplification of 20x.

          In theory DNSSEC replies can be significantly bigger since they can be over via multiple UDP packets: https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS#Issues [wikipedia.org]
          The fact that EDNS0 was actually approved shows how silly the DNS standards people are.

          To me it seems very unlikely that a small IP range or a single IP would want hundreds or thousands of DNS replies per second from your DNS server/resolver. Thus perhaps a more practical solution would be to keep the reply rates and bandwidth per IP range to a "sane" level. DNS queries are supposed to be cached for minutes so if you appear to be asking too many times either your connection is too crappy or you are a victim of a DoS attack in which case you don't want the replies.

          That way an attacker would probably use a different DNSSEC server for amplification. Or need to find and use 10000 different DNS servers like yours to send 10-100Mbps at a target.

  • (Score: 5, Interesting) by Anonymous Coward on Thursday August 25 2016, @01:20PM

    by Anonymous Coward on Thursday August 25 2016, @01:20PM (#392977)

    It would be most handy if soylent had a way to colorize new posts in a discussion. Something as simple as storing a "last viewed" date in a cookie or dom storage and then applying a "new" style to any post newer than the stored date stamp. Even slicker if it can be done with css trickery so javascript is not required.

    • (Score: 1, Informative) by Anonymous Coward on Thursday August 25 2016, @02:01PM

      by Anonymous Coward on Thursday August 25 2016, @02:01PM (#392997)

      +1 to that. pipedot has been doing it for a while and it's very very helpful.

    • (Score: 2) by The Mighty Buzzard on Thursday August 25 2016, @09:21PM

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Thursday August 25 2016, @09:21PM (#393196) Homepage Journal

      Funny you should mention that...

      --
      My rights don't end where your fear begins.
    • (Score: 2) by ngarrang on Friday August 26 2016, @04:09AM

      by ngarrang (896) on Friday August 26 2016, @04:09AM (#393331) Journal

      What?! No way. Ted Turner ruined old movies. Soylents needs an all gray/monochrome theme, the way God meant movies to be watched...er, posts to be read.

  • (Score: 2) by Runaway1956 on Thursday August 25 2016, @01:56PM

    by Runaway1956 (2926) Subscriber Badge on Thursday August 25 2016, @01:56PM (#392991) Journal

    So, we got the Secretary of the Department of National Security to sign off on Soylent? Cool. Them Russians better not be hacking us!

  • (Score: 2) by VLM on Thursday August 25 2016, @02:24PM

    by VLM (445) Subscriber Badge on Thursday August 25 2016, @02:24PM (#393015)

    So, after a ridiculous collection of village people stopped singing YMCA and finally got down to work, the VIP hobbit picked up the ring, then they walked a hell of a long way, and threw the ring in the volcano, and alls well that ends well. (Sorry if that's a spoiler to some of you?)

    Anyway just saying stories of epic sysadmin battle are best told in detail. And how did you slay the demon of expiring RRSIGs? I hope its not something really boring like "redo 'em by hand every 30 days". I mean that works and success has a glory all its own regardless of technique, but there should be at least some cool battle stories and side quests along the path...

    • (Score: 2) by Azuma Hazuki on Thursday August 25 2016, @04:19PM

      by Azuma Hazuki (5086) on Thursday August 25 2016, @04:19PM (#393083) Journal

      By hand? No, a tiny shell script with a generous sprinkling of rand(); works for that. Sysadmins, remember? We have tools for that sort of thing =P

      --
      I am "that girl" your mother warned you about...
    • (Score: 2) by NCommander on Thursday August 25 2016, @07:06PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @07:06PM (#393146) Homepage Journal

      Short version: BIND9 inline signing, and not bothering with key rotation (we're signed using SHA256).

      BIND will automatically regenerate the RRSIG records as needed and bump the serial on the fly to make it happen. Both the KSK and ZSK are SHA256 keys. I could script key replacement on the fly, but given that SHA256 + 2048 bytes is safe enough for the general web without constant rotation, its something I'm not going to loose sleep over.

      NSEC3 resigning happens automatically by BIND, but I'm not really worried about zone enumeration either; our public facing services are public. Private stuff goes into the li694-22 pseudo-TLD we use (which also needs to be signed, but since its a fake TLD, I'll have to do DNSSEC DLV to make that fly which is all sorts of 'fun'. I should probably do it though cause we use Hesiod, and then locally validate DNSSEC chains).

      --
      Still always moving
      • (Score: 1) by Mike on Friday August 26 2016, @04:05PM

        by Mike (823) on Friday August 26 2016, @04:05PM (#393539)

        Did you look at dnssec-tools?... https://www.dnssec-tools.org/ [dnssec-tools.org]

        In particular, rollerd handles automated key rollovers. It'll roll zone signing keys without needing input. Key signing key rollovers still need some manual handling as you have to get the dsset to your register then run a short command. IIRC, depending on key/signature life time you may still need to script resigning zones periodically, but that's fairly simple (e.g. a cron job of 'rollctrl -signzone zone-name').

        • (Score: 2) by NCommander on Sunday August 28 2016, @08:20PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Sunday August 28 2016, @08:20PM (#394320) Homepage Journal

          Belated reply; that won't work with inline signing in BIND, and rechecking the config, BIND actually does roll the ZSK automatically (which I thought it did: https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html). [isc.org] We don't bother rolling over the KSK; I'll probably do it once in awhile by hand.

          I uploaded both the KSK and ZSK to the register when I signed the zone which in hinsight was a mistake (though not a fatal one, as one as the KSK validates the chain of trust, DNSSEC will accept it. Lingering keys are supported to allow rollover in the light of propigation delays; what you're supposed to do is add the new key, then resign so any clients that have a mix of old and new can still validate a chain of trust).

          --
          Still always moving
  • (Score: 2) by SomeGuy on Thursday August 25 2016, @02:34PM

    by SomeGuy (5632) on Thursday August 25 2016, @02:34PM (#393024)

    Congrats on the improvements. Don't go too nuts with new features though, I really like the way the current site works, and it works well in my oddball browser.

    I can't even begin to count the sites that have turned in to useless rubbish because they wanted some new fangled "HTML5" or whatever fancy scripting toy happens to be the fad of the day.

    • (Score: 2) by martyb on Thursday August 25 2016, @04:38PM

      by martyb (76) Subscriber Badge on Thursday August 25 2016, @04:38PM (#393092) Journal

      Don't go too nuts with new features though, I really like the way the current site works, and it works well in my oddball browser.

      As the defacto QA department here at SoylentNews, I'd appreciate knowing what 'oddball browser' you use. Early on, I saw NCommander report he succeeded in loading the site using Mosaic! I don't have that to hand; I primarily use Pale Moon x86 on Win 7 Pro. I've been known to use Lynx (text-mode browser) on both Windows and Ubuntu Mate. Also have a copy of Opera available.

      I cannot promise I'll be able to test your setup, but will certainly add it to the list of things I consider when performing tests and providing feedback to the developers.

      --
      Wit is intellect, dancing.
      • (Score: 2) by SomeGuy on Thursday August 25 2016, @06:15PM

        by SomeGuy (5632) on Thursday August 25 2016, @06:15PM (#393114)

        Don't laugh too hard: Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.8.1.25pre) Gecko/20110912 SeaMonkey/1.1.20pre

        It is the last Mozilla browser that will run under 95/98/ME/NT 4 (and even NT 3.51!) without something like KernelEX (98 only). And it includes a fix that for a while made that... other news site render OK-ish after adding HTML5 "section" tags, but they have gone even further down hill since then.

        Downloadable from here: http://toastytech.com/files/95browsing.html [toastytech.com]

        But about half the sites out there completely thumb their noses at me already now, so I'm not expecting anything.

        (Why use it? Because I can!)

        • (Score: 2) by NCommander on Thursday August 25 2016, @06:54PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:54PM (#393135) Homepage Journal

          It probably won't be hard to get the newer Firefox's/SeaMonkeys to compile for antique NT if there was an actual demand for them. I actually got Firefox to recently compile for IRIX, only to be killed at the last possible moment by the linker being unable to handle >2 GiB of stuff at once which no amount of fiddling would fix.

          --
          Still always moving
          • (Score: 2) by Justin Case on Saturday August 27 2016, @04:53PM

            by Justin Case (4239) on Saturday August 27 2016, @04:53PM (#393972) Journal

            One of the most useful programs ever written, grep, is only 174K (on my system). I'm deeply suspicious of something over 2GiB. It can probably never be made secure, or fully understood even by its authors. Indeed it is probably chasing a fundamentally wrong design philosophy.

            • (Score: 2) by NCommander on Saturday August 27 2016, @05:59PM

              by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Saturday August 27 2016, @05:59PM (#393991) Homepage Journal

              Neither Firefox nor Chrome can be built with a 32-bit compiler anymore (Firefox has to use a 64->32 bit compiler last I checked). Most of this is because of the sheer amount of bloat that JavaScript and 'modern' web standards have become. Ultimately, what happened is after Java failed to deliver on the promise of write-once run-anywhere, the browser because a general purpose virtual machine for getting true platform independence. WebKit is several million lines of code; I won't be surprise if the browser in size exceeds more of the earlier versions of Windows in total LOC count.

              Linux as a desktop platform became more viable not due to apps, but the fact the browser has become more or less the central repository where everything is done now. Even looking at my laptop, the only native apps I have installed are development tools, Steam+games, and browsers. Back in 2002, it would have had a slew of PIM software, CompuServe CIM for communication, Office, a USENET reader, and probably a lot more I am forgetting.

              --
              Still always moving
        • (Score: 2) by martyb on Thursday August 25 2016, @08:46PM

          by martyb (76) Subscriber Badge on Thursday August 25 2016, @08:46PM (#393177) Journal

          Ummm, yeah. That does qualify as an 'oddball browser' in my book. Sadly, I have no system that I could run it on.

          That said, if you do notice an unexpected change in site behavior, please let us know. (Probably the easiest approach would be to give a shout out on IRC [soylentnews.org].) No guarantees, but you never know when a small change could get things working again.

          Many thanks for the feedback!

          --
          Wit is intellect, dancing.
      • (Score: 2) by NCommander on Thursday August 25 2016, @07:14PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @07:14PM (#393149) Homepage Journal

        Incidentally, it won't load in Mosaic anymore. No HTTPS support in most branches, and the few that do have it tend to only support SSLv3. Mosiac-ck MIGHT work. I dunno if he added TLS support into it.

        Course, you could always use a proxy to get around that if need be or load it from tor (which uses http since Tor does its encryption, and SSL certs break with onionholes).

        --
        Still always moving
      • (Score: 0) by Anonymous Coward on Friday August 26 2016, @09:46PM

        by Anonymous Coward on Friday August 26 2016, @09:46PM (#393697)
        I use firefox on android and the entered text in the textarea is too small when posting.
        • (Score: 2) by martyb on Saturday August 27 2016, @01:37AM

          by martyb (76) Subscriber Badge on Saturday August 27 2016, @01:37AM (#393815) Journal

          I use firefox on android and the entered text in the textarea is too small when posting.

          We are aware that rendering of SoylentNews on mobile browsers is quite poor. I can personally vouch for having many issues with Chrome on Android.

          Since other sites can render well on mobile browsers, it would seem like something that we should also be able to do.

          IIRC, @TheMightyBuzzard: took a stab at it once, but ran into some difficulties. Such as it being entirely possible for one person to view the site with a 19-inch monitor running at 1024x768 and someone else to view the site with a handheld 4K display. Apparently, one can make no assumptions between screen resolution and physical screen size. Add to that various rendering issues between different browsers and the rabbit hole just seems to get deeper and deeper. Further, for the most part, we try and run a lean site and have so far succeeded in avoided the need for any JavaScript to use it.

          So, yes, it's a known problem, but with no clear way out. Unless there's a UI guru out there who would like to lend a hand?

          --
          Wit is intellect, dancing.
          • (Score: 0) by Anonymous Coward on Saturday August 27 2016, @09:49PM

            by Anonymous Coward on Saturday August 27 2016, @09:49PM (#394047)
            • (Score: 2) by martyb on Sunday August 28 2016, @02:00PM

              by martyb (76) Subscriber Badge on Sunday August 28 2016, @02:00PM (#394202) Journal

              Will this help? Good question!

              I've seen this construct before, but never really looked into it. I followed that link, as well as: https://css-tricks.com/probably-use-initial-scale1/ [css-tricks.com] and have passed these on to TheMightyBuzzard. Hopefully he'll be able to make use of it. I might be able to play around with it a bit, but I'm working the next few days, so it may be a while before I can try anything. I've done some CSS stuff, but it is not my forté, so I can make no promises.

              Thanks for passing this along!

              --
              Wit is intellect, dancing.
              • (Score: 2) by martyb on Tuesday August 30 2016, @02:49AM

                by martyb (76) Subscriber Badge on Tuesday August 30 2016, @02:49AM (#395088) Journal

                I know it's poor form to reply to myself, but I made a quick test update to https://dev.soylentnews.org/ [soylentnews.org] and included this line in the headers:

                <meta name="viewport" content="width=device-width, initial-scale=1">

                Then reloaded the dev server's home page as well as a couple story pages... and saw no change at all in how the pages displayed. (This was using Chrome on Android.) Loaded the same pages using Pale Moon on Win 7 Pro x86; saw no changes there, either. (Yes, I did view the page source and confirmed that the code had been added.) TheMightyBuzzard looked at the site on his mobile browser and said that he did not see any change, either. At that point, I backed out the change and returned the site to its previous functionality.

                --
                Wit is intellect, dancing.
  • (Score: 3, Interesting) by ledow on Thursday August 25 2016, @04:40PM

    by ledow (5567) on Thursday August 25 2016, @04:40PM (#393094) Homepage

    Someone please tell The Register. On much less funding you've done ten times more "IT stuff" than they have. No IPv6, no SSL\TLS, no DNSSEC and their authors still use ancient home webmail services rather than just a damn email forward.

    How do you take a geek/IT site seriously if they can't even do the things they keep telling us all off for not doing.

    P.S. my personal domain has most of the above, except DNSSEC because it's a pain in the butt.

    • (Score: 2) by NCommander on Thursday August 25 2016, @06:53PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:53PM (#393134) Homepage Journal

      DNSSEC isn't bad if you're using your own BIND master. Just make a signing key and turn on inline signing. Problem solved.

      Just make sure you generate RSASHA256 keys vs. the default of SHA1 ones.

      --
      Still always moving
      • (Score: 2) by ledow on Thursday August 25 2016, @07:39PM

        by ledow (5567) on Thursday August 25 2016, @07:39PM (#393157) Homepage

        But if you're not using your own BIND master, it's an absolute pain in the butt.

        I find it disappointing that most domain hosts don't even offer it as an option at all. It's the sort of thing they should be managing for most people.

        • (Score: 2) by NCommander on Thursday August 25 2016, @09:06PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @09:06PM (#393187) Homepage Journal

          To an extent, I do get why its not common. Key management in DNSSEC is not trivial, and you don't want your signing keys controlled by a third party if it can be avoided.There's plenty of misinformation around; for example, most guides state that SHA1 is the only supporting signing algorthim. It isn't; most of the roots are signed SHA256 for instance.

          On the webUI front, Linode doesn't support it directly, but you can replicate RRSIG to their zone by AXFR. As there is no standardized interface to upload the KSK/ZSK, it becomes something of a PITA. It's also possible to put a DNSSEC frontend in front of your servers which will sign the zone in-transit if you can do online key signing. That way, you can just set the front-end as authoritive, and point your NS records at that.

          Cloudflare at the very least did it right and signed all the domains under their control (which was only possible since they're also a register I think).

          --
          Still always moving
    • (Score: 3, Funny) by NCommander on Thursday August 25 2016, @06:59PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:59PM (#393141) Homepage Journal

      Oh, on the topic of webmail, we actually use Squirrelmail still here since the staff have a preference for it, complete with frames! If The Register want to hire me for freelancer work, well, point them at my email :)

      (and honestly, I get a huge amount of kicks of replying to people saying "When will soylentnews.org support X", and linking an article from months ago that we have X. (such as every IPv6 post we have here ...))

      --
      Still always moving
  • (Score: 2) by linkdude64 on Friday August 26 2016, @12:43AM

    by linkdude64 (5482) on Friday August 26 2016, @12:43AM (#393262)

    Thank you!

    PS:

    Thank you!