ach-master.git
6 years agoLaTeX comment on how to remove the draft watermark
Aaron Kaplan [Tue, 7 Jan 2014 19:03:27 +0000 (20:03 +0100)]
LaTeX comment on how to remove the draft watermark

6 years agoupdated/fixed keylength recommendations based on Ecrypt Paper
Adi Kriegisch [Tue, 7 Jan 2014 19:00:06 +0000 (20:00 +0100)]
updated/fixed keylength recommendations based on Ecrypt Paper

6 years agoadd IACR cryptoDB BibTeX entries for ALL THE PUBLICATIONS!
Aaron Zauner [Tue, 7 Jan 2014 18:57:38 +0000 (19:57 +0100)]
add IACR cryptoDB BibTeX entries for ALL THE PUBLICATIONS!

6 years agoforgot to commit a comment in TODO.txt
Aaron Kaplan [Tue, 7 Jan 2014 18:55:02 +0000 (19:55 +0100)]
forgot to commit a comment in TODO.txt

6 years agoMerge branch 'krono/draft-enhanchement' of https://github.com/krono/Applied-Crypto...
Aaron Kaplan [Tue, 7 Jan 2014 18:54:46 +0000 (19:54 +0100)]
Merge branch 'krono/draft-enhanchement' of https://github.com/krono/Applied-Crypto-Hardening

6 years agoRe-enable SRP.
Aaron Kaplan [Tue, 7 Jan 2014 18:45:39 +0000 (19:45 +0100)]
Re-enable SRP.

Reasoning:

1) feedback on the mailing lists requested removal of "!SRP".
2) first of all, sysadmins need to configure SRP manually anyway.
This means, disabling SRP in our cipher string will just lock it out anyway but not specifiying SRP will not disable it for an already configured SRP system
3) SRP seems to be a good protocol

Relevant mailing list posts:
http://lists.cert.at/pipermail/ach/2013-December/thread.html#616

6 years agoadd howmyssl.com
Aaron Zauner [Tue, 7 Jan 2014 18:35:37 +0000 (19:35 +0100)]
add howmyssl.com

6 years agorename
Aaron Kaplan [Tue, 7 Jan 2014 17:21:21 +0000 (18:21 +0100)]
rename

6 years agocollect more feedback
Aaron Kaplan [Tue, 7 Jan 2014 17:05:36 +0000 (18:05 +0100)]
collect more feedback

6 years agoupdate feedback list
Aaron Kaplan [Tue, 7 Jan 2014 16:28:42 +0000 (17:28 +0100)]
update feedback list

6 years agofeedback on 2k RSA keys
Aaron Kaplan [Tue, 7 Jan 2014 16:27:38 +0000 (17:27 +0100)]
feedback on 2k RSA keys

6 years agoproperly reference the debian howto on PGP settings
Aaron Kaplan [Tue, 7 Jan 2014 15:26:14 +0000 (16:26 +0100)]
properly reference the debian howto on PGP settings

6 years agotry to find the most important points
Aaron Kaplan [Tue, 7 Jan 2014 15:00:59 +0000 (16:00 +0100)]
try to find the most important points

6 years agolist feedback items which must be reviewed
Aaron Kaplan [Tue, 7 Jan 2014 14:46:43 +0000 (15:46 +0100)]
list feedback items which must be reviewed

6 years agoplace to collect feedback
Aaron Kaplan [Tue, 7 Jan 2014 14:40:12 +0000 (15:40 +0100)]
place to collect feedback

6 years agoRe-enable draft
Tobias Pape [Tue, 7 Jan 2014 14:28:23 +0000 (15:28 +0100)]
Re-enable draft

6 years agoRevert "Revert "Merge pull request #36 from krono/krono/draft-enhanchement""
Tobias Pape [Tue, 7 Jan 2014 14:21:56 +0000 (15:21 +0100)]
Revert "Revert "Merge pull request #36 from krono/krono/draft-enhanchement""

This reverts commit be7a9f46ca468be59644fc770ed01015f4c2042c.

6 years agoMerge branch 'master' of https://git.bettercrypto.org/ach-master
Aaron Kaplan [Tue, 7 Jan 2014 12:28:24 +0000 (13:28 +0100)]
Merge branch 'master' of https://git.bettercrypto.org/ach-master

merge of a conflict. @Azet: please always - when pulling in change requests from github.com - also sync these against the main repo.
(git push origin master)

Thanks :)

Conflicts:
src/practical_settings/ssh.tex

6 years agoMerge pull request #38 from fxkr/readme--reviewers.tex-was-renamed
Aaron Zauner [Mon, 6 Jan 2014 15:32:09 +0000 (07:32 -0800)]
Merge pull request #38 from fxkr/readme--reviewers.tex-was-renamed

readme/faq: reviewers.tex -> acknowledgements.tex

6 years agoreadme/faq: reviewers.tex -> acknowledgements.tex
Felix Kaiser [Mon, 6 Jan 2014 14:45:30 +0000 (15:45 +0100)]
readme/faq: reviewers.tex -> acknowledgements.tex

6 years agono OpenSSH upstream support of DJB curves as of today
Aaron Zauner [Sun, 5 Jan 2014 22:18:55 +0000 (23:18 +0100)]
no OpenSSH upstream support of DJB curves as of today

6 years agoMerge pull request #32 from ax3l/ssh-moreEtmMacs
Aaron Zauner [Sun, 5 Jan 2014 20:28:45 +0000 (12:28 -0800)]
Merge pull request #32 from ax3l/ssh-moreEtmMacs

SSHd: add ETM MACs for SHA2

6 years agoOnly advertise OpenSSH 6.4
Axel Huebl [Sun, 5 Jan 2014 20:16:25 +0000 (21:16 +0100)]
Only advertise OpenSSH 6.4

GCM, UMAC and ETM added in 6.2, but due to a memory corruption vulnerability
in 6.2 and 6.3 by an insecure GCM implementation
  http://www.openssh.com/txt/gcmrekey.adv
we only recommend OpenSSH 6.4+
  http://www.openssh.com/txt/release-6.4

6 years agoETM for SSH2 was introduced in OpenSSH 6.2
Axel Huebl [Sun, 5 Jan 2014 20:01:30 +0000 (21:01 +0100)]
ETM for SSH2 was introduced in OpenSSH 6.2

I tested the settings for OpenSSH 6.4.
Release log for OpenSSH 6.2: http://www.openssh.com/txt/release-6.2

6 years agoRemove aes-192 for now
Axel Huebl [Sun, 5 Jan 2014 19:42:54 +0000 (20:42 +0100)]
Remove aes-192 for now

6 years agoMerge pull request #37 from Intichar/master
Aaron Zauner [Sun, 5 Jan 2014 19:33:14 +0000 (11:33 -0800)]
Merge pull request #37 from Intichar/master

Minor changes in IOS section

6 years agoRemove AllowUsers
Axel Huebl [Sun, 5 Jan 2014 10:53:48 +0000 (11:53 +0100)]
Remove AllowUsers

Too specific. Thanks to @azet for the feedback!

6 years agoAdd intermediate aes192-ctr
Axel Huebl [Sun, 5 Jan 2014 00:04:25 +0000 (01:04 +0100)]
Add intermediate aes192-ctr

Won't harm and increases available ciphers

6 years agospaces -> tabs
Axel Huebl [Sat, 4 Jan 2014 23:58:18 +0000 (00:58 +0100)]
spaces -> tabs

6 years agoOptional: Whitelist static users for login
Axel Huebl [Sat, 4 Jan 2014 23:46:55 +0000 (00:46 +0100)]
Optional: Whitelist static users for login

Quite conservative but useful for systems with a very limited number
of allowed system users for SSH.

6 years agoTested with OpenSSH 6.4, too
Axel Huebl [Sat, 4 Jan 2014 23:41:54 +0000 (00:41 +0100)]
Tested with OpenSSH 6.4, too

6 years agomore space between text and footnotes
Eva Seidl [Sat, 4 Jan 2014 22:17:49 +0000 (23:17 +0100)]
more space between text and footnotes

6 years agoRevert "Merge pull request #36 from krono/krono/draft-enhanchement"
Aaron Kaplan [Sat, 4 Jan 2014 19:08:20 +0000 (20:08 +0100)]
Revert "Merge pull request #36 from krono/krono/draft-enhanchement"

This reverts commit 76b22bb473e0f089fcd78159af74f3226b9be089, reversing
changes made to a3b6a5dffd72b739b98b8c9c0ead5793ab747479.

Reason:
oops, wait... I see some problems:
1) the header on the top of each page always says "Contents" (no matter which chapter it is)
2) the draft git version in the footer disappeared
3) I actually don't see a bitmap.
Sorry, reverting for now...

6 years agoShould really learn the alphabet...
Axel Huebl [Sat, 4 Jan 2014 19:00:12 +0000 (20:00 +0100)]
Should really learn the alphabet...

6 years agoAdded myself to the reviewers list
Axel Huebl [Sat, 4 Jan 2014 18:59:00 +0000 (19:59 +0100)]
Added myself to the reviewers list

6 years agoMerge pull request #36 from krono/krono/draft-enhanchement
AaronK [Sat, 4 Jan 2014 18:57:21 +0000 (10:57 -0800)]
Merge pull request #36 from krono/krono/draft-enhanchement

Change Draft-mark handling

6 years agoMerge pull request #33 from ax3l/apache2-notefix
Aaron Zauner [Sat, 4 Jan 2014 16:30:24 +0000 (08:30 -0800)]
Merge pull request #33 from ax3l/apache2-notefix

Confusion: EECDH+Cipher and stated "omit ECDHE"

6 years agoMinor changes in IOS section
Intichar [Sat, 4 Jan 2014 10:14:06 +0000 (11:14 +0100)]
Minor changes in IOS section

4096 bit rsa keys, corrected "404" link @ cisco homepage

6 years agoChange Draft-mark handling
Tobias Pape [Fri, 3 Jan 2014 19:08:42 +0000 (20:08 +0100)]
Change Draft-mark handling

 1. Replace textual mark by whole-page bitmapped image.
    This is necessary to avoid accidental selection of the mark
    when copy&paste-ing from the document.
 2. Add a draft-indicator at bottom and top of the page.

Eventually, we can:
 1. Remove the watermark altogether
 2. Remove the draft-info from the normal page footer.

6 years agoremove the draft across the document, since it is a problem with copy & paste
Aaron Kaplan [Fri, 3 Jan 2014 15:29:22 +0000 (16:29 +0100)]
remove the draft across the document, since it is a problem with copy & paste

6 years agoMerge pull request #35 from Ardobras/master
AaronK [Fri, 3 Jan 2014 15:17:23 +0000 (07:17 -0800)]
Merge pull request #35 from Ardobras/master

lighttpd config fix

6 years agolighttpd config fix
Ardobras [Fri, 3 Jan 2014 14:02:10 +0000 (15:02 +0100)]
lighttpd config fix

just ran across this small typo. either this or the curly bracket below should be removed to keep it c&p able. keep up the good work!

6 years agoremember to update the webserver config (and document it ;-)
Aaron Kaplan [Fri, 3 Jan 2014 13:19:37 +0000 (14:19 +0100)]
remember to update the webserver config (and document it ;-)

6 years agoDid you mean EECDH here?
Axel Huebl [Fri, 3 Jan 2014 01:13:40 +0000 (02:13 +0100)]
Did you mean EECDH here?

EECDH and ECDHE are synonyms
  https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html
but writing "you can omit all ciphers starting with ECDHE" and only
listing ciphers starting with "EECDH" will confuse the reader.

6 years agoSSHd: add ETM MACs for SHA2
Axel Huebl [Fri, 3 Jan 2014 00:25:28 +0000 (01:25 +0100)]
SSHd: add ETM MACs for SHA2

Should be in since 6.1 (but tested with OpenSSH 6.4).

6 years agoMerge pull request #31 from ax3l/external-links
AaronK [Thu, 2 Jan 2014 21:56:35 +0000 (13:56 -0800)]
Merge pull request #31 from ax3l/external-links

External links

6 years agoMerge pull request #30 from ax3l/text-apachehttps
AaronK [Thu, 2 Jan 2014 21:55:01 +0000 (13:55 -0800)]
Merge pull request #30 from ax3l/text-apachehttps

Replace httpS with bold s as in #22 for nginx

6 years agoremoved line vty stuff in ASA (thanks mario zabrocki)
Aaron Zauner [Thu, 2 Jan 2014 18:29:46 +0000 (19:29 +0100)]
removed line vty stuff in ASA (thanks mario zabrocki)

6 years agoMove setting to hypersetup
Axel Huebl [Thu, 2 Jan 2014 16:12:48 +0000 (17:12 +0100)]
Move setting to hypersetup

6 years agoOpen External Links in New Window
Axel Huebl [Thu, 2 Jan 2014 16:06:55 +0000 (17:06 +0100)]
Open External Links in New Window

I am viewing this document with Firefox's internal pdf viewer, which results in
opening all external links in the same tab as the document itself.

See https://en.wikibooks.org/wiki/LaTeX/Hyperlinks#Customization for the option
pdfnewwindow "define if a new window should get opened when a link leads out of
the current document".

I am not sure of one should add this option to
  fonts/opensans/doc/fonts/opensans/opensans.tex
too.

6 years agoReplace httpS with bold s as in #22 for nginx
Axel Huebl [Thu, 2 Jan 2014 16:00:06 +0000 (17:00 +0100)]
Replace httpS with bold s as in #22 for nginx

- grep'ed last two occurences of httpS://
- update to same style as in nginx section (pull #22)

6 years agoMerge pull request #29 from ax3l/master
AaronK [Thu, 2 Jan 2014 15:41:09 +0000 (07:41 -0800)]
Merge pull request #29 from ax3l/master

Disclaimer: Replace Heise Link (en)

6 years agoDisclaimer: Replace Heise Link (en)
Axel Huebl [Thu, 2 Jan 2014 15:36:08 +0000 (16:36 +0100)]
Disclaimer: Replace Heise Link (en)

Replace the link to the german homepage of heise online with the english one.

6 years agoMerge pull request #28 from Bananeweizen/patch-1
AaronK [Thu, 2 Jan 2014 15:34:12 +0000 (07:34 -0800)]
Merge pull request #28 from Bananeweizen/patch-1

Update README.md

6 years agoMerge pull request #24 from qbi/patch-1
AaronK [Thu, 2 Jan 2014 15:33:30 +0000 (07:33 -0800)]
Merge pull request #24 from qbi/patch-1

Corrected small typo

6 years agoMerge pull request #25 from qbi/patch-2
AaronK [Thu, 2 Jan 2014 15:33:14 +0000 (07:33 -0800)]
Merge pull request #25 from qbi/patch-2

TODO: Test with non-Debian-OS

6 years agoTODO: add timestamp and git shorthash to title page
Pepi Zawodsky [Thu, 2 Jan 2014 14:56:49 +0000 (15:56 +0100)]
TODO: add timestamp and git shorthash to title page

6 years agoAdded requested export formats, TXT, HTML and EPUB
Pepi Zawodsky [Thu, 2 Jan 2014 14:50:10 +0000 (15:50 +0100)]
Added requested export formats, TXT, HTML and EPUB

6 years agotry to remove the "DRAFT" letters across the document
Aaron Kaplan [Thu, 2 Jan 2014 14:05:34 +0000 (15:05 +0100)]
try to remove the "DRAFT" letters across the document
document open TODOs

6 years agoUpdate README.md
Bananeweizen [Thu, 2 Jan 2014 13:55:17 +0000 (14:55 +0100)]
Update README.md

Fix word repetition, typography and markdown formatting.

6 years agofix openvpn easy-rsa wording. It was an example, not a definitive number. Thx riepl...
Aaron Kaplan [Thu, 2 Jan 2014 13:35:06 +0000 (14:35 +0100)]
fix openvpn easy-rsa wording. It was an example, not a definitive number. Thx riepl@cert.at!

6 years agodocument how to check how much entropy is avail on linux
Aaron Kaplan [Thu, 2 Jan 2014 13:20:07 +0000 (14:20 +0100)]
document how to check how much entropy is avail on linux

6 years agoMerge pull request #27 from vzsze/patch-1
AaronK [Thu, 2 Jan 2014 10:41:40 +0000 (02:41 -0800)]
Merge pull request #27 from vzsze/patch-1

Fix typo in "How to test" commandline.

6 years agoMerge pull request #26 from Astranox/master
AaronK [Thu, 2 Jan 2014 10:37:10 +0000 (02:37 -0800)]
Merge pull request #26 from Astranox/master

fix command for checking for incoming

6 years agoFix typo in "How to test" commandline.
Rolf Kutz [Thu, 2 Jan 2014 00:28:56 +0000 (01:28 +0100)]
Fix typo in "How to test" commandline.

6 years agofix command for checking for incoming
David Kaufmann [Wed, 1 Jan 2014 22:13:09 +0000 (23:13 +0100)]
fix command for checking for incoming
tls-connections in postfix
also this only works with smtpd_tls_loglevel = 1,
even on postfix 2.9.6-2 (debian wheezy)

6 years agoTODO: Test with non-Debian-OS
Jens Kubieziel [Wed, 1 Jan 2014 21:59:39 +0000 (22:59 +0100)]
TODO: Test with non-Debian-OS

Right now the configs seem to be only tested with Debian GNU/Linux. However Fedora, SUSE etc. bring different versions of OpenSSL. So they might not work there.

6 years agoCorrected small typo
Jens Kubieziel [Wed, 1 Jan 2014 21:57:41 +0000 (22:57 +0100)]
Corrected small typo

6 years agoMerge github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Wed, 1 Jan 2014 17:24:36 +0000 (18:24 +0100)]
Merge github.com:BetterCrypto/Applied-Crypto-Hardening

6 years agoMerge pull request #22 from mrothe/patch-1
AaronK [Wed, 1 Jan 2014 17:23:38 +0000 (09:23 -0800)]
Merge pull request #22 from mrothe/patch-1

webserver.tex: use faster redirect for nginx

6 years agowebserver.tex: use faster redirect for nginx
mrothe [Wed, 1 Jan 2014 14:39:24 +0000 (15:39 +0100)]
webserver.tex: use faster redirect for nginx

Doing a redirect by return is faster than what was previously used.
Also replace in the text the capital S by a bold one in "https://"

6 years agorephrase todo
Aaron Kaplan [Tue, 31 Dec 2013 20:33:59 +0000 (21:33 +0100)]
rephrase todo

6 years agoproxy solutions: deleted repeating text
Aaron Kaplan [Tue, 31 Dec 2013 20:32:04 +0000 (21:32 +0100)]
proxy solutions: deleted repeating text
mailservers: formatting
im: it was not clear where the version string starts and ends

6 years agoGrammar, spelling
Aaron Kaplan [Tue, 31 Dec 2013 20:26:10 +0000 (21:26 +0100)]
Grammar, spelling

6 years agotypos
Aaron Kaplan [Tue, 31 Dec 2013 20:24:18 +0000 (21:24 +0100)]
typos

6 years agostyle/grammar
Aaron Kaplan [Tue, 31 Dec 2013 20:15:55 +0000 (21:15 +0100)]
style/grammar

6 years agoChange Debian Wheezy -> Debian 7.0 as recommended by Cyril (see mailing list, 30th...
Aaron Kaplan [Tue, 31 Dec 2013 16:41:17 +0000 (17:41 +0100)]
Change Debian Wheezy -> Debian 7.0 as recommended by Cyril (see mailing list, 30th of Dec 2013)

6 years agoMerge pull request #21 from cy8aer/lighty-corrections
AaronK [Tue, 31 Dec 2013 13:40:32 +0000 (05:40 -0800)]
Merge pull request #21 from cy8aer/lighty-corrections

syntax error on Lighty 1.4.33-1+nmu2 (Debian Sallie):

6 years agosyntax error on Lighty 1.4.33-1+nmu2 (Debian Sallie):
Thomas Renard [Tue, 31 Dec 2013 12:41:39 +0000 (13:41 +0100)]
syntax error on Lighty 1.4.33-1+nmu2 (Debian Sallie):

" instead of " for ssl.cipher-list

6 years agonote to self about RFC for storing keys in DNS
Aaron Kaplan [Tue, 31 Dec 2013 10:24:43 +0000 (11:24 +0100)]
note to self about RFC for storing keys in DNS

6 years agoupdate TODO . Thx Alexandre for the good ideas.
Aaron Kaplan [Tue, 31 Dec 2013 10:21:58 +0000 (11:21 +0100)]
update TODO . Thx Alexandre for the good ideas.
removed reviewers.tex and an old version
reviewers.tex is now in acknowledgement.tex

6 years agooops, reviewers moved to acknowledgement.tex
Aaron Kaplan [Tue, 31 Dec 2013 10:18:30 +0000 (11:18 +0100)]
oops, reviewers moved to acknowledgement.tex

6 years agoadd reviewers. Somehow Berg's changes in
Aaron Kaplan [Tue, 31 Dec 2013 10:09:14 +0000 (11:09 +0100)]
add reviewers. Somehow Berg's changes in
https://github.com/BetterCrypto/Applied-Crypto-Hardening/commit/ed1e29456746015130886b11b6a20b81440fc460
git overwritten again. RE-do them

6 years agoMerge pull request #20 from schwindp/master
AaronK [Tue, 31 Dec 2013 08:45:26 +0000 (00:45 -0800)]
Merge pull request #20 from schwindp/master

small typo in further_research.tex

6 years agosmall typo
Peter Schwindt [Tue, 31 Dec 2013 08:36:08 +0000 (09:36 +0100)]
small typo

6 years agoremoved additional settings text due to serverkeybits not being used
Aaron Zauner [Mon, 30 Dec 2013 22:40:14 +0000 (23:40 +0100)]
removed additional settings text due to serverkeybits not being used

6 years agofixed a few errors in sshd_config - thanx kurt roeckx, hugh o\'brien
Aaron Zauner [Mon, 30 Dec 2013 19:12:02 +0000 (20:12 +0100)]
fixed a few errors in sshd_config - thanx kurt roeckx, hugh o\'brien

6 years agoMerge pull request #19 from schwindp/master
AaronK [Sun, 29 Dec 2013 12:22:47 +0000 (04:22 -0800)]
Merge pull request #19 from schwindp/master

Update im.tex (small typos, more \url{}). Thx Peter!

6 years agoUpdate im.tex (small typos, more \url{})
Peter Schwindt [Sun, 29 Dec 2013 11:59:25 +0000 (12:59 +0100)]
Update im.tex (small typos, more \url{})

use moar \url{}

6 years agoinserted missing half sentence
cm [Sat, 28 Dec 2013 15:57:11 +0000 (16:57 +0100)]
inserted missing half sentence

6 years agofix references of things which moved to the appendix
Aaron Kaplan [Sat, 28 Dec 2013 15:19:47 +0000 (16:19 +0100)]
fix references of things which moved to the appendix

6 years agofix references to appendix A (previously section "tools")
Aaron Kaplan [Sat, 28 Dec 2013 15:15:39 +0000 (16:15 +0100)]
fix references to appendix A (previously section "tools")

6 years agoMerge pull request #18 from krono/latex-cleanups
AaronK [Sat, 28 Dec 2013 15:10:12 +0000 (07:10 -0800)]
Merge pull request #18 from krono/latex-cleanups

Latex cleanups. Looks good, checked by Aaron and Eva. These changes deal with latex code per se. Not with the content.

6 years agoMerge github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sat, 28 Dec 2013 15:08:35 +0000 (16:08 +0100)]
Merge github.com:BetterCrypto/Applied-Crypto-Hardening

6 years agomake it a subsection*
Tobias Pape [Sat, 28 Dec 2013 00:18:34 +0000 (01:18 +0100)]
make it a subsection*

6 years agoFront image is unreferenced, hence no figure.
Tobias Pape [Fri, 27 Dec 2013 23:46:10 +0000 (00:46 +0100)]
Front image is unreferenced, hence no figure.

6 years agoUse multicol in further research
Tobias Pape [Fri, 27 Dec 2013 23:45:33 +0000 (00:45 +0100)]
Use multicol in further research

6 years agolabels and sections
Tobias Pape [Fri, 27 Dec 2013 23:44:54 +0000 (00:44 +0100)]
labels and sections

add more labels to sections
make appendix stuff chapters

6 years agoreplace dot-generated reading guide by tikz one,
Tobias Pape [Fri, 27 Dec 2013 23:28:32 +0000 (00:28 +0100)]
replace dot-generated reading guide by tikz one,

can use hyperlinks there

6 years agomake the appendix an appendix.
Tobias Pape [Fri, 27 Dec 2013 22:28:50 +0000 (23:28 +0100)]
make the appendix an appendix.