shincert | 8 years ago | on: Ask HN: How have you successfully simplified your life?
I've done the same recently. Haven't seen colors on my phone for a few weeks now.
shincert's comments
shincert | 8 years ago | on: Ask HN: How have you successfully simplified your life?
Only one meal a day? What do you mean?
shincert | 8 years ago | on: Ask HN: Secure DNS resolution in a system
> Basically, unless everything is 100% DNSSEC, there's an opportunity for tampering. Fortunately, though, OCSP responses are signed, as we mentioned earlier. If the OCSP response comes with a valid signature, it can be trusted -- whether DNSSEC is in use or not. A response with an invalid signature (for whatever reason) obviously cannot be trusted. Let me ask you that first question again with this in mind: will running your own DNS server increase the security any? Will it increase the amount of trust you have in the validity of the certificates presented to you by clients?
That was very enlightening, thank you for your help.
I can see it won't improve my trust on the OCSP responses or CRLs, but would it not be desirable to encrypt as much traffic (i.e. DNS queries) as I can in an effort to prohibit a potential attacker from employing traffic analysis techniques with the goal to learn something? This hypothetical scenario doesn't seem so farfetched to me.
Eventually, my encrypted DNS query will be forwarded to a DNS resolver that doesn't employ encryption and it will be in the clear, but how would the attacker know where to look next? If the original DNS query is encrypted, an attacker sniffing the network will not be able to know which DNS resolver the query was forwarded to, right? If so then he can't follow up on that and I've successfully disabled it from learning what the DNS query was about.
In short, I am not trying to increase my trust in the exchanges, but rather hide them as much as possible for the sake of obscurity. Is this reasonable?
shincert | 8 years ago | on: Ask HN: Secure DNS resolution in a system
> Assuming the RRs for the domains you are querying are signed, that's (IMO) probably all you need to do. While OCSP happens over plain-text HTTP, the responses are also signed so that you can verify them.
I will make sure that's the case. What I didn't explain yet is that I am doing this for a university project and I am fishing for extra points. So I was trying to justify running my own DNS server. Is it reasonable?
> I don't think there's much more you can really do (as the DNS queries/responses will travel over the Internet "in the clear" -- and, thus, subject to tampering/modification).
I really should have done more research on this, but I imagined I could encrypt the DNS queries themselves and forward them to a public recursive DNS server. Could I not use DNSCRYPT or DNS-over-TLS for this purpose?
> Also, an attacker could block your HTTP requests (for CRL downloads/OCSP queries). How does your application react when it doesn't get a response? "Fail open" or "fail closed"?
Assuming the server has at least downloaded an initial CRL, I could always fallback to that. I haven't played much with this yet, but I think that's the big advantage of a CRL versus an OCSP query, no?
I guess I should "fail closed" to cover all holes but then I'm basically letting the attacker DoS the server. What is best?
shincert | 8 years ago | on: Predict the future with Machine Learning
Why? Is it really that bad of an analogy for an absolute beginner?
shincert | 8 years ago | on: Shoelace.css – A back to the basics CSS starter kit
How is it much easier to maintain?
shincert | 8 years ago | on: Shoelace.css – A back to the basics CSS starter kit
Irrelevant for a framework that wants to be future-proof and bleeding edge.
shincert | 8 years ago | on: Shoelace.css – A back to the basics CSS starter kit
Why is not using flexbox a bad thing? It recommends the new CSS Grid instead.
shincert | 8 years ago | on: Shoelace.css – A back to the basics CSS starter kit
https://github.com/claviska/shoelace-css/pull/10
This PR will reduce the size down to 18KB.
shincert | 8 years ago | on: Ask HN: Where should I keep my recovery codes (Google account for exemple)?
You've just told the whole world. Not so hard anymore.
shincert | 8 years ago | on: Ask HN: What are the best books on modern computer graphics?
Nice! Subscribed
shincert | 8 years ago | on: Ask HN: What are some small scripts you use daily?
How does it work?
shincert | 8 years ago | on: Ask HN: What are some small scripts you use daily?
I've installed it recently but some sites are hard. For example, I'd block YouTube in the blink of an eye, but what if I really need to look up a video tutorial or something in the middle of a work session?
shincert | 8 years ago | on: Ask HN: What are some small scripts you use daily?
I'm interested. Care to share?
shincert | 9 years ago | on: How to write a simple operating system
Yeah the malware incident made it a no-go for me
shincert | 9 years ago | on: Ask HN: What are your favorite browser extensions?
uBlock Origin
Privacy Badger
The Great Suspender
No History
HTTPS Everywhere
Refined Wikipedia
shincert | 9 years ago | on: Takeover.sh – Wipe and reinstall a running Linux system via SSH without reboot
That was great!
shincert | 9 years ago | on: KeepassXC – A cross-platform community fork of KeepassX
That's cool. But if that's all this project is, couldn't they have just talked to the one maintainer and offer to help him and be on the team?
shincert | 9 years ago | on: Register-based VMs have a higher performance than stack-based VMs
That's interesting. Are there any actual stack-based CPUs out there today?
shincert | 9 years ago | on: The cryptopals crypto challenges
Out of curiosity, what is this "babby's first web server" you speak of?
page 1