Aaron Zauner [Tue, 7 Jan 2014 18:57:38 +0000 (19:57 +0100)]
add IACR cryptoDB BibTeX entries for ALL THE PUBLICATIONS!
Aaron Kaplan [Tue, 7 Jan 2014 18:55:02 +0000 (19:55 +0100)]
forgot to commit a comment in TODO.txt
Aaron Kaplan [Tue, 7 Jan 2014 18:54:46 +0000 (19:54 +0100)]
Merge branch 'krono/draft-enhanchement' of https://github.com/krono/Applied-Crypto-Hardening
Aaron Kaplan [Tue, 7 Jan 2014 18:45:39 +0000 (19:45 +0100)]
Re-enable SRP.
Reasoning:
1) feedback on the mailing lists requested removal of "!SRP".
2) first of all, sysadmins need to configure SRP manually anyway.
This means, disabling SRP in our cipher string will just lock it out anyway but not specifiying SRP will not disable it for an already configured SRP system
3) SRP seems to be a good protocol
Relevant mailing list posts:
http://lists.cert.at/pipermail/ach/2013-December/thread.html#616
Aaron Zauner [Tue, 7 Jan 2014 18:35:37 +0000 (19:35 +0100)]
add howmyssl.com
Aaron Kaplan [Tue, 7 Jan 2014 17:21:21 +0000 (18:21 +0100)]
rename
Aaron Kaplan [Tue, 7 Jan 2014 17:05:36 +0000 (18:05 +0100)]
collect more feedback
Aaron Kaplan [Tue, 7 Jan 2014 16:28:42 +0000 (17:28 +0100)]
update feedback list
Aaron Kaplan [Tue, 7 Jan 2014 16:27:38 +0000 (17:27 +0100)]
feedback on 2k RSA keys
Aaron Kaplan [Tue, 7 Jan 2014 15:26:14 +0000 (16:26 +0100)]
properly reference the debian howto on PGP settings
Aaron Kaplan [Tue, 7 Jan 2014 15:00:59 +0000 (16:00 +0100)]
try to find the most important points
Aaron Kaplan [Tue, 7 Jan 2014 14:46:43 +0000 (15:46 +0100)]
list feedback items which must be reviewed
Aaron Kaplan [Tue, 7 Jan 2014 14:40:12 +0000 (15:40 +0100)]
place to collect feedback
Tobias Pape [Tue, 7 Jan 2014 14:28:23 +0000 (15:28 +0100)]
Re-enable draft
Tobias Pape [Tue, 7 Jan 2014 14:21:56 +0000 (15:21 +0100)]
Revert "Revert "Merge pull request #36 from krono/krono/draft-enhanchement""
This reverts commit
be7a9f46ca468be59644fc770ed01015f4c2042c.
Aaron Kaplan [Tue, 7 Jan 2014 12:28:24 +0000 (13:28 +0100)]
Merge branch 'master' of https://git.bettercrypto.org/ach-master
merge of a conflict. @Azet: please always - when pulling in change requests from github.com - also sync these against the main repo.
(git push origin master)
Thanks :)
Conflicts:
src/practical_settings/ssh.tex
Aaron Zauner [Mon, 6 Jan 2014 15:32:09 +0000 (07:32 -0800)]
Merge pull request #38 from fxkr/readme--reviewers.tex-was-renamed
readme/faq: reviewers.tex -> acknowledgements.tex
Felix Kaiser [Mon, 6 Jan 2014 14:45:30 +0000 (15:45 +0100)]
readme/faq: reviewers.tex -> acknowledgements.tex
Aaron Zauner [Sun, 5 Jan 2014 22:18:55 +0000 (23:18 +0100)]
no OpenSSH upstream support of DJB curves as of today
Aaron Zauner [Sun, 5 Jan 2014 20:28:45 +0000 (12:28 -0800)]
Merge pull request #32 from ax3l/ssh-moreEtmMacs
SSHd: add ETM MACs for SHA2
Axel Huebl [Sun, 5 Jan 2014 20:16:25 +0000 (21:16 +0100)]
Only advertise OpenSSH 6.4
GCM, UMAC and ETM added in 6.2, but due to a memory corruption vulnerability
in 6.2 and 6.3 by an insecure GCM implementation
http://www.openssh.com/txt/gcmrekey.adv
we only recommend OpenSSH 6.4+
http://www.openssh.com/txt/release-6.4
Axel Huebl [Sun, 5 Jan 2014 20:01:30 +0000 (21:01 +0100)]
ETM for SSH2 was introduced in OpenSSH 6.2
I tested the settings for OpenSSH 6.4.
Release log for OpenSSH 6.2: http://www.openssh.com/txt/release-6.2
Axel Huebl [Sun, 5 Jan 2014 19:42:54 +0000 (20:42 +0100)]
Remove aes-192 for now
Aaron Zauner [Sun, 5 Jan 2014 19:33:14 +0000 (11:33 -0800)]
Merge pull request #37 from Intichar/master
Minor changes in IOS section
Axel Huebl [Sun, 5 Jan 2014 10:53:48 +0000 (11:53 +0100)]
Remove AllowUsers
Too specific. Thanks to @azet for the feedback!
Axel Huebl [Sun, 5 Jan 2014 00:04:25 +0000 (01:04 +0100)]
Add intermediate aes192-ctr
Won't harm and increases available ciphers
Axel Huebl [Sat, 4 Jan 2014 23:58:18 +0000 (00:58 +0100)]
spaces -> tabs
Axel Huebl [Sat, 4 Jan 2014 23:46:55 +0000 (00:46 +0100)]
Optional: Whitelist static users for login
Quite conservative but useful for systems with a very limited number
of allowed system users for SSH.
Axel Huebl [Sat, 4 Jan 2014 23:41:54 +0000 (00:41 +0100)]
Tested with OpenSSH 6.4, too
Eva Seidl [Sat, 4 Jan 2014 22:17:49 +0000 (23:17 +0100)]
more space between text and footnotes
Aaron Kaplan [Sat, 4 Jan 2014 19:08:20 +0000 (20:08 +0100)]
Revert "Merge pull request #36 from krono/krono/draft-enhanchement"
This reverts commit
76b22bb473e0f089fcd78159af74f3226b9be089, reversing
changes made to
a3b6a5dffd72b739b98b8c9c0ead5793ab747479.
Reason:
oops, wait... I see some problems:
1) the header on the top of each page always says "Contents" (no matter which chapter it is)
2) the draft git version in the footer disappeared
3) I actually don't see a bitmap.
Sorry, reverting for now...
Axel Huebl [Sat, 4 Jan 2014 19:00:12 +0000 (20:00 +0100)]
Should really learn the alphabet...
Axel Huebl [Sat, 4 Jan 2014 18:59:00 +0000 (19:59 +0100)]
Added myself to the reviewers list
AaronK [Sat, 4 Jan 2014 18:57:21 +0000 (10:57 -0800)]
Merge pull request #36 from krono/krono/draft-enhanchement
Change Draft-mark handling
Aaron Zauner [Sat, 4 Jan 2014 16:30:24 +0000 (08:30 -0800)]
Merge pull request #33 from ax3l/apache2-notefix
Confusion: EECDH+Cipher and stated "omit ECDHE"
Intichar [Sat, 4 Jan 2014 10:14:06 +0000 (11:14 +0100)]
Minor changes in IOS section
4096 bit rsa keys, corrected "404" link @ cisco homepage
Tobias Pape [Fri, 3 Jan 2014 19:08:42 +0000 (20:08 +0100)]
Change Draft-mark handling
1. Replace textual mark by whole-page bitmapped image.
This is necessary to avoid accidental selection of the mark
when copy&paste-ing from the document.
2. Add a draft-indicator at bottom and top of the page.
Eventually, we can:
1. Remove the watermark altogether
2. Remove the draft-info from the normal page footer.
Aaron Kaplan [Fri, 3 Jan 2014 15:29:22 +0000 (16:29 +0100)]
remove the draft across the document, since it is a problem with copy & paste
AaronK [Fri, 3 Jan 2014 15:17:23 +0000 (07:17 -0800)]
Merge pull request #35 from Ardobras/master
lighttpd config fix
Ardobras [Fri, 3 Jan 2014 14:02:10 +0000 (15:02 +0100)]
lighttpd config fix
just ran across this small typo. either this or the curly bracket below should be removed to keep it c&p able. keep up the good work!
Aaron Kaplan [Fri, 3 Jan 2014 13:19:37 +0000 (14:19 +0100)]
remember to update the webserver config (and document it ;-)
Axel Huebl [Fri, 3 Jan 2014 01:13:40 +0000 (02:13 +0100)]
Did you mean EECDH here?
EECDH and ECDHE are synonyms
https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html
but writing "you can omit all ciphers starting with ECDHE" and only
listing ciphers starting with "EECDH" will confuse the reader.
Axel Huebl [Fri, 3 Jan 2014 00:25:28 +0000 (01:25 +0100)]
SSHd: add ETM MACs for SHA2
Should be in since 6.1 (but tested with OpenSSH 6.4).
AaronK [Thu, 2 Jan 2014 21:56:35 +0000 (13:56 -0800)]
Merge pull request #31 from ax3l/external-links
External links
AaronK [Thu, 2 Jan 2014 21:55:01 +0000 (13:55 -0800)]
Merge pull request #30 from ax3l/text-apachehttps
Replace httpS with bold s as in #22 for nginx
Aaron Zauner [Thu, 2 Jan 2014 18:29:46 +0000 (19:29 +0100)]
removed line vty stuff in ASA (thanks mario zabrocki)
Axel Huebl [Thu, 2 Jan 2014 16:12:48 +0000 (17:12 +0100)]
Move setting to hypersetup
Axel Huebl [Thu, 2 Jan 2014 16:06:55 +0000 (17:06 +0100)]
Open External Links in New Window
I am viewing this document with Firefox's internal pdf viewer, which results in
opening all external links in the same tab as the document itself.
See https://en.wikibooks.org/wiki/LaTeX/Hyperlinks#Customization for the option
pdfnewwindow "define if a new window should get opened when a link leads out of
the current document".
I am not sure of one should add this option to
fonts/opensans/doc/fonts/opensans/opensans.tex
too.
Axel Huebl [Thu, 2 Jan 2014 16:00:06 +0000 (17:00 +0100)]
Replace httpS with bold s as in #22 for nginx
- grep'ed last two occurences of httpS://
- update to same style as in nginx section (pull #22)
AaronK [Thu, 2 Jan 2014 15:41:09 +0000 (07:41 -0800)]
Merge pull request #29 from ax3l/master
Disclaimer: Replace Heise Link (en)
Axel Huebl [Thu, 2 Jan 2014 15:36:08 +0000 (16:36 +0100)]
Disclaimer: Replace Heise Link (en)
Replace the link to the german homepage of heise online with the english one.
AaronK [Thu, 2 Jan 2014 15:34:12 +0000 (07:34 -0800)]
Merge pull request #28 from Bananeweizen/patch-1
Update README.md
AaronK [Thu, 2 Jan 2014 15:33:30 +0000 (07:33 -0800)]
Merge pull request #24 from qbi/patch-1
Corrected small typo
AaronK [Thu, 2 Jan 2014 15:33:14 +0000 (07:33 -0800)]
Merge pull request #25 from qbi/patch-2
TODO: Test with non-Debian-OS
Pepi Zawodsky [Thu, 2 Jan 2014 14:56:49 +0000 (15:56 +0100)]
TODO: add timestamp and git shorthash to title page
Pepi Zawodsky [Thu, 2 Jan 2014 14:50:10 +0000 (15:50 +0100)]
Added requested export formats, TXT, HTML and EPUB
Aaron Kaplan [Thu, 2 Jan 2014 14:05:34 +0000 (15:05 +0100)]
try to remove the "DRAFT" letters across the document
document open TODOs
Bananeweizen [Thu, 2 Jan 2014 13:55:17 +0000 (14:55 +0100)]
Update README.md
Fix word repetition, typography and markdown formatting.
Aaron Kaplan [Thu, 2 Jan 2014 13:35:06 +0000 (14:35 +0100)]
fix openvpn easy-rsa wording. It was an example, not a definitive number. Thx riepl@cert.at!
Aaron Kaplan [Thu, 2 Jan 2014 13:20:07 +0000 (14:20 +0100)]
document how to check how much entropy is avail on linux
AaronK [Thu, 2 Jan 2014 10:41:40 +0000 (02:41 -0800)]
Merge pull request #27 from vzsze/patch-1
Fix typo in "How to test" commandline.
AaronK [Thu, 2 Jan 2014 10:37:10 +0000 (02:37 -0800)]
Merge pull request #26 from Astranox/master
fix command for checking for incoming
Rolf Kutz [Thu, 2 Jan 2014 00:28:56 +0000 (01:28 +0100)]
Fix typo in "How to test" commandline.
David Kaufmann [Wed, 1 Jan 2014 22:13:09 +0000 (23:13 +0100)]
fix command for checking for incoming
tls-connections in postfix
also this only works with smtpd_tls_loglevel = 1,
even on postfix 2.9.6-2 (debian wheezy)
Jens Kubieziel [Wed, 1 Jan 2014 21:59:39 +0000 (22:59 +0100)]
TODO: Test with non-Debian-OS
Right now the configs seem to be only tested with Debian GNU/Linux. However Fedora, SUSE etc. bring different versions of OpenSSL. So they might not work there.
Jens Kubieziel [Wed, 1 Jan 2014 21:57:41 +0000 (22:57 +0100)]
Corrected small typo
Aaron Kaplan [Wed, 1 Jan 2014 17:24:36 +0000 (18:24 +0100)]
Merge github.com:BetterCrypto/Applied-Crypto-Hardening
AaronK [Wed, 1 Jan 2014 17:23:38 +0000 (09:23 -0800)]
Merge pull request #22 from mrothe/patch-1
webserver.tex: use faster redirect for nginx
mrothe [Wed, 1 Jan 2014 14:39:24 +0000 (15:39 +0100)]
webserver.tex: use faster redirect for nginx
Doing a redirect by return is faster than what was previously used.
Also replace in the text the capital S by a bold one in "https://"
Aaron Kaplan [Tue, 31 Dec 2013 20:33:59 +0000 (21:33 +0100)]
rephrase todo
Aaron Kaplan [Tue, 31 Dec 2013 20:32:04 +0000 (21:32 +0100)]
proxy solutions: deleted repeating text
mailservers: formatting
im: it was not clear where the version string starts and ends
Aaron Kaplan [Tue, 31 Dec 2013 20:26:10 +0000 (21:26 +0100)]
Grammar, spelling
Aaron Kaplan [Tue, 31 Dec 2013 20:24:18 +0000 (21:24 +0100)]
typos
Aaron Kaplan [Tue, 31 Dec 2013 20:15:55 +0000 (21:15 +0100)]
style/grammar
Aaron Kaplan [Tue, 31 Dec 2013 16:41:17 +0000 (17:41 +0100)]
Change Debian Wheezy -> Debian 7.0 as recommended by Cyril (see mailing list, 30th of Dec 2013)
AaronK [Tue, 31 Dec 2013 13:40:32 +0000 (05:40 -0800)]
Merge pull request #21 from cy8aer/lighty-corrections
syntax error on Lighty 1.4.33-1+nmu2 (Debian Sallie):
Thomas Renard [Tue, 31 Dec 2013 12:41:39 +0000 (13:41 +0100)]
syntax error on Lighty 1.4.33-1+nmu2 (Debian Sallie):
" instead of " for ssl.cipher-list
Aaron Kaplan [Tue, 31 Dec 2013 10:24:43 +0000 (11:24 +0100)]
note to self about RFC for storing keys in DNS
Aaron Kaplan [Tue, 31 Dec 2013 10:21:58 +0000 (11:21 +0100)]
update TODO . Thx Alexandre for the good ideas.
removed reviewers.tex and an old version
reviewers.tex is now in acknowledgement.tex
Aaron Kaplan [Tue, 31 Dec 2013 10:18:30 +0000 (11:18 +0100)]
oops, reviewers moved to acknowledgement.tex
Aaron Kaplan [Tue, 31 Dec 2013 10:09:14 +0000 (11:09 +0100)]
add reviewers. Somehow Berg's changes in
https://github.com/BetterCrypto/Applied-Crypto-Hardening/commit/
ed1e29456746015130886b11b6a20b81440fc460
git overwritten again. RE-do them
AaronK [Tue, 31 Dec 2013 08:45:26 +0000 (00:45 -0800)]
Merge pull request #20 from schwindp/master
small typo in further_research.tex
Peter Schwindt [Tue, 31 Dec 2013 08:36:08 +0000 (09:36 +0100)]
small typo
Aaron Zauner [Mon, 30 Dec 2013 22:40:14 +0000 (23:40 +0100)]
removed additional settings text due to serverkeybits not being used
Aaron Zauner [Mon, 30 Dec 2013 19:12:02 +0000 (20:12 +0100)]
fixed a few errors in sshd_config - thanx kurt roeckx, hugh o\'brien
AaronK [Sun, 29 Dec 2013 12:22:47 +0000 (04:22 -0800)]
Merge pull request #19 from schwindp/master
Update im.tex (small typos, more \url{}). Thx Peter!
Peter Schwindt [Sun, 29 Dec 2013 11:59:25 +0000 (12:59 +0100)]
Update im.tex (small typos, more \url{})
use moar \url{}
cm [Sat, 28 Dec 2013 15:57:11 +0000 (16:57 +0100)]
inserted missing half sentence
Aaron Kaplan [Sat, 28 Dec 2013 15:19:47 +0000 (16:19 +0100)]
fix references of things which moved to the appendix
Aaron Kaplan [Sat, 28 Dec 2013 15:15:39 +0000 (16:15 +0100)]
fix references to appendix A (previously section "tools")
AaronK [Sat, 28 Dec 2013 15:10:12 +0000 (07:10 -0800)]
Merge pull request #18 from krono/latex-cleanups
Latex cleanups. Looks good, checked by Aaron and Eva. These changes deal with latex code per se. Not with the content.
Aaron Kaplan [Sat, 28 Dec 2013 15:08:35 +0000 (16:08 +0100)]
Merge github.com:BetterCrypto/Applied-Crypto-Hardening
Tobias Pape [Sat, 28 Dec 2013 00:18:34 +0000 (01:18 +0100)]
make it a subsection*
Tobias Pape [Fri, 27 Dec 2013 23:46:10 +0000 (00:46 +0100)]
Front image is unreferenced, hence no figure.
Tobias Pape [Fri, 27 Dec 2013 23:45:33 +0000 (00:45 +0100)]
Use multicol in further research
Tobias Pape [Fri, 27 Dec 2013 23:44:54 +0000 (00:44 +0100)]
labels and sections
add more labels to sections
make appendix stuff chapters
Tobias Pape [Fri, 27 Dec 2013 23:28:32 +0000 (00:28 +0100)]
replace dot-generated reading guide by tikz one,
can use hyperlinks there
Tobias Pape [Fri, 27 Dec 2013 22:28:50 +0000 (23:28 +0100)]
make the appendix an appendix.
Tobias Pape [Fri, 27 Dec 2013 22:28:33 +0000 (23:28 +0100)]
unify cite commands to ~\cite{foo}.
On the way, use things like ~\cite[page n]{foo}
Tobias Pape [Fri, 27 Dec 2013 21:58:08 +0000 (22:58 +0100)]
add me to ack, simplify ack by using multicol