ach-master.git
3 years agoFix typos in mailserver.tex
Igor Vuk [Thu, 24 Mar 2016 18:56:57 +0000 (19:56 +0100)]
Fix typos in mailserver.tex

3 years agoMerge pull request #123 from ivuk/fix-typos
Aaron Zauner [Thu, 24 Mar 2016 14:26:48 +0000 (15:26 +0100)]
Merge pull request #123 from ivuk/fix-typos

Minor typo fixes

3 years agoRemove a trailing space in mailserver.tex
Igor Vuk [Wed, 23 Mar 2016 19:19:18 +0000 (20:19 +0100)]
Remove a trailing space in mailserver.tex

3 years agoFix a typo in mailserver.tex
Igor Vuk [Wed, 23 Mar 2016 19:18:14 +0000 (20:18 +0100)]
Fix a typo in mailserver.tex

3 years agoFix a typo in webserver.tex
Igor Vuk [Wed, 23 Mar 2016 19:11:04 +0000 (20:11 +0100)]
Fix a typo in webserver.tex

3 years agoRemove trailing spaces in howtoread.tex
Igor Vuk [Wed, 23 Mar 2016 19:04:29 +0000 (20:04 +0100)]
Remove trailing spaces in howtoread.tex

3 years agoFix a typo in howtoread.tex
Igor Vuk [Wed, 23 Mar 2016 18:58:57 +0000 (19:58 +0100)]
Fix a typo in howtoread.tex

3 years agoMerge pull request #122 from ivuk/fix-typo-faq
Sebastian [Wed, 23 Mar 2016 20:33:35 +0000 (21:33 +0100)]
Merge pull request #122 from ivuk/fix-typo-faq

Minor fixes for FAQ.md

3 years agoAdd https:// prefix to bettercrypto.org URL
Igor Vuk [Wed, 23 Mar 2016 18:52:36 +0000 (19:52 +0100)]
Add https:// prefix to bettercrypto.org URL

3 years agoFix a typo in FAQ.md
Igor Vuk [Wed, 23 Mar 2016 18:50:55 +0000 (19:50 +0100)]
Fix a typo in FAQ.md

3 years agoadd pdf slides
Aaron Zauner [Thu, 17 Mar 2016 13:16:35 +0000 (14:16 +0100)]
add pdf slides

3 years agoadd TROOPERS16 presentation
Aaron Zauner [Thu, 17 Mar 2016 13:15:44 +0000 (14:15 +0100)]
add TROOPERS16 presentation

3 years agoMerge pull request #121 from tarleb/postfix-config-update
Sebastian [Wed, 9 Mar 2016 10:32:18 +0000 (11:32 +0100)]
Merge pull request #121 from tarleb/postfix-config-update

Always log Postfix TLS connections, fix for different postfix versions

According to docs http://www.postfix.org/postconf.5.html#smtpd_tls_loglevel
loglevel 1 gives a summary for all versions above 2.2
tested on wheezy with 2.9

3 years agoAlways log TLS connection info in Postfix
Albert Krewinkel [Wed, 9 Mar 2016 08:24:44 +0000 (09:24 +0100)]
Always log TLS connection info in Postfix

TLS connection details are useful information and should always be
logged.

3 years agoRemove duplicate parameters from Postfix/main.cf
Albert Krewinkel [Tue, 8 Mar 2016 22:27:18 +0000 (23:27 +0100)]
Remove duplicate parameters from Postfix/main.cf

Two `readme_directory` parameters are one too many.  Same for
`myorigin`.

fixup! Remove duplicate parameter from Postfix/main.cf

3 years agoMerge pull request #90 from malexmave/ejabberd-update
Aaron Zauner [Thu, 3 Mar 2016 23:23:53 +0000 (00:23 +0100)]
Merge pull request #90 from malexmave/ejabberd-update

Updated for newer versions of ejabberd

3 years agoMerge pull request #120 from BetterCrypto/DROWN-fixes
AaronK [Wed, 2 Mar 2016 22:57:06 +0000 (23:57 +0100)]
Merge pull request #120 from BetterCrypto/DROWN-fixes

Drown fixes

3 years agoremove Draft text. We are not draft anymore. This document has been around quite... DROWN-fixes
aaronkaplan [Wed, 2 Mar 2016 08:56:28 +0000 (09:56 +0100)]
remove Draft text. We are not draft anymore. This document has been around quite long now and been tested against multiple attacks over time.

3 years agofix Exim against DROWN
aaronkaplan [Wed, 2 Mar 2016 08:55:01 +0000 (09:55 +0100)]
fix Exim against DROWN

3 years agoupdate postfix settings due to DROWN attack
aaronkaplan [Wed, 2 Mar 2016 08:45:40 +0000 (09:45 +0100)]
update postfix settings due to DROWN attack

3 years agoMerge pull request #119 from tarleb/ecrypt-url-fix
Sebastian [Sun, 28 Feb 2016 20:01:21 +0000 (21:01 +0100)]
Merge pull request #119 from tarleb/ecrypt-url-fix

Fix URL of ECRYPT II report

3 years agoFix URL of ECRYPT II report
Albert Krewinkel [Sun, 28 Feb 2016 18:13:35 +0000 (19:13 +0100)]
Fix URL of ECRYPT II report

It seems that the URL of the ECRYPT II report is no longer valid.
Add missing URL part to get a valid URL again.

3 years agoMerge pull request #118 from 2001db8/ESA_update_201601
Aaron Zauner [Wed, 27 Jan 2016 11:00:24 +0000 (12:00 +0100)]
Merge pull request #118 from 2001db8/ESA_update_201601

Ironport/ESA changes to meet current GD versions and tested versions

3 years agoChanges to meet current GD versions
Jens Roesen [Tue, 19 Jan 2016 14:50:37 +0000 (15:50 +0100)]
Changes to meet current GD versions

Complemented list of tested versions and changed limitations to meet the
changes in the GD releases.

3 years agoClear up wording for older configs
Max Maass [Sun, 17 Jan 2016 14:21:49 +0000 (15:21 +0100)]
Clear up wording for older configs

3 years agoAdd information about DH param compatibility
Max Maass [Wed, 13 Jan 2016 10:35:55 +0000 (11:35 +0100)]
Add information about DH param compatibility

3 years agoImplement change requests by @sebix
Max Maass [Sun, 27 Dec 2015 18:54:21 +0000 (19:54 +0100)]
Implement change requests by @sebix

3 years agoAdd custom DH parameters
Max Maass [Sun, 27 Dec 2015 16:08:26 +0000 (17:08 +0100)]
Add custom DH parameters

3 years agoMerge pull request #117 from gunnarhaslinger/master
Sebastian [Tue, 8 Dec 2015 16:10:39 +0000 (17:10 +0100)]
Merge pull request #117 from gunnarhaslinger/master

Correct CipherstringB in Webservers+Mailservers

4 years agoUpdate: Practical recommendations - MailServers: CipherStrings matching old CipherStr...
Gunnar Haslinger [Sat, 7 Nov 2015 15:20:45 +0000 (16:20 +0100)]
Update: Practical recommendations - MailServers: CipherStrings matching old CipherString-B updated to match current CipherString-B

4 years agoUpdate: Practical recommendations - Webservers: CipherStrings match old CipherString...
Gunnar Haslinger [Sat, 7 Nov 2015 15:10:42 +0000 (16:10 +0100)]
Update: Practical recommendations - Webservers: CipherStrings match old CipherString-B updated to match current CipherString-B

4 years agoMerge pull request #116 from jschlyter/haproxy_direct
Aaron Zauner [Sat, 7 Nov 2015 11:40:08 +0000 (12:40 +0100)]
Merge pull request #116 from jschlyter/haproxy_direct

add example for redirect from HTTP to HTTPS

4 years agoMerge pull request #115 from gunnarhaslinger/master
Aaron Zauner [Sat, 7 Nov 2015 11:34:09 +0000 (12:34 +0100)]
Merge pull request #115 from gunnarhaslinger/master

Dovecot: added options of newer Versions

4 years agoadd redirect from HTTP to HTTPS
Jakob Schlyter [Fri, 6 Nov 2015 08:01:47 +0000 (09:01 +0100)]
add redirect from HTTP to HTTPS

4 years agoDovecot: added ssl_dh_parameters_length, ssl_prefer_server_ciphers and Test using...
Gunnar Haslinger [Mon, 26 Oct 2015 18:33:53 +0000 (19:33 +0100)]
Dovecot: added ssl_dh_parameters_length, ssl_prefer_server_ciphers and Test using SSLyze

4 years agoMerge pull request #114 from dahlberg-fkie/master
Aaron Zauner [Thu, 22 Oct 2015 17:04:09 +0000 (19:04 +0200)]
Merge pull request #114 from dahlberg-fkie/master

Add unsorted/LibreSSL ciphers

4 years agoAdd unsorted/LibreSSL ciphers
David Dahlberg [Wed, 21 Oct 2015 08:41:23 +0000 (10:41 +0200)]
Add unsorted/LibreSSL ciphers

4 years agoMerge pull request #113 from gunnarhaslinger/master
Aaron Zauner [Fri, 16 Oct 2015 23:09:59 +0000 (01:09 +0200)]
Merge pull request #113 from gunnarhaslinger/master

HTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.

4 years agoCorrected a copy+paste mistake
Gunnar Haslinger [Fri, 16 Oct 2015 21:55:32 +0000 (23:55 +0200)]
Corrected a copy+paste mistake

4 years agoHTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.
Gunnar Haslinger [Fri, 16 Oct 2015 21:35:25 +0000 (23:35 +0200)]
HTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.

4 years agoadded list of supported cipher suites of some CentOS/Debian versions
Gunnar Haslinger [Fri, 16 Oct 2015 18:23:17 +0000 (20:23 +0200)]
added list of supported cipher suites of some CentOS/Debian versions

4 years agoMerge pull request #112 from dahlberg-fkie/master
Aaron Zauner [Wed, 19 Aug 2015 23:07:43 +0000 (01:07 +0200)]
Merge pull request #112 from dahlberg-fkie/master

New introduction into mail server settings

4 years agoincorporated sebix comments on 6334a5b
David Dahlberg [Mon, 3 Aug 2015 07:10:19 +0000 (09:10 +0200)]
incorporated sebix comments on 6334a5b

4 years agoNew introduction into mail server settings
David Dahlberg [Wed, 29 Jul 2015 11:01:26 +0000 (13:01 +0200)]
New introduction into mail server settings

4 years agoMerge pull request #111 from 2001db8/ironport-update
Aaron Zauner [Thu, 18 Jun 2015 09:18:46 +0000 (11:18 +0200)]
Merge pull request #111 from 2001db8/ironport-update

Link to AsyncOS 9.5 Release Notes

4 years agoLink to AsyncOS 9.5 Release Notes
Jens [Thu, 18 Jun 2015 07:52:08 +0000 (09:52 +0200)]
Link to AsyncOS 9.5 Release Notes

Exchanged the link to a Cisco Tweet about the possibility of TLS 1.2
support in AsyncOS 9.5 with a link to the actual AsyncOS 9.5 Release
Notes.

4 years agoMerge pull request #106 from 2001db8/ironport_subsection
Aaron Zauner [Sun, 24 May 2015 20:24:58 +0000 (22:24 +0200)]
Merge pull request #106 from 2001db8/ironport_subsection

Cisco ESA/IronPort subsection

4 years agoMerge pull request #109 from rotanid/master
Aaron Zauner [Sun, 24 May 2015 15:13:09 +0000 (17:13 +0200)]
Merge pull request #109 from rotanid/master

correct OpenSSH version number

4 years agocorrect OpenSSH version number
Andreas Ziegler [Fri, 22 May 2015 21:19:38 +0000 (23:19 +0200)]
correct OpenSSH version number

4 years agoMinor changes and screenshots
Jens Roesen [Fri, 22 May 2015 08:57:17 +0000 (10:57 +0200)]
Minor changes and screenshots

- minor changes in the descriptions
- added screenshots for all steps
- added FloatBarrier (see PR #107)

4 years agoMerge pull request #107 from arwarw/floatbarriers
Aaron Zauner [Thu, 14 May 2015 17:08:32 +0000 (19:08 +0200)]
Merge pull request #107 from arwarw/floatbarriers

Constrain figure positions by FloatBarrier

4 years agoMerge pull request #108 from arwarw/kerberos-mit-db-enctype-upgrade
Aaron Zauner [Thu, 14 May 2015 17:08:14 +0000 (19:08 +0200)]
Merge pull request #108 from arwarw/kerberos-mit-db-enctype-upgrade

Kerberos: How to switch an existing database to a new enctype

4 years agoKerberos: How to switch an existing database to a new enctype
Alexander Wuerstlein [Wed, 13 May 2015 14:28:42 +0000 (16:28 +0200)]
Kerberos: How to switch an existing database to a new enctype

4 years agoadd \FloatBarrier to constrain screenshot figures to their respective sections
Alexander Wuerstlein [Wed, 13 May 2015 14:48:13 +0000 (16:48 +0200)]
add \FloatBarrier to constrain screenshot figures to their respective sections

4 years agospell fix - s/stampling/stapling/
Aaron Zauner [Sat, 9 May 2015 19:14:49 +0000 (21:14 +0200)]
spell fix - s/stampling/stapling/

4 years agoMerge pull request #105 from schue30/master
Aaron Zauner [Sat, 9 May 2015 19:10:32 +0000 (21:10 +0200)]
Merge pull request #105 from schue30/master

Add HAProxy configuration

4 years agoMinor edits... again
Jens Roesen [Sat, 9 May 2015 17:15:44 +0000 (19:15 +0200)]
Minor edits... again

4 years agoAdd OCSP stapling, HPKP and NPN.
Mathias Schüpany [Sat, 9 May 2015 16:14:51 +0000 (18:14 +0200)]
Add OCSP stapling, HPKP and NPN.

4 years agoMinor changes
Jens Roesen [Sat, 9 May 2015 15:24:06 +0000 (17:24 +0200)]
Minor changes

4 years agoMinor edits
Jens Roesen [Sat, 9 May 2015 15:08:22 +0000 (17:08 +0200)]
Minor edits

4 years agoAdded name to acknowledgements
Jens Roesen [Sat, 9 May 2015 14:45:06 +0000 (16:45 +0200)]
Added name to acknowledgements

4 years agoAdded IronPort Subsection
Jens Roesen [Sat, 9 May 2015 14:42:45 +0000 (16:42 +0200)]
Added IronPort Subsection

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Fri, 8 May 2015 18:07:48 +0000 (20:07 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agominor corrections
Aaron Kaplan [Fri, 8 May 2015 18:06:50 +0000 (20:06 +0200)]
minor corrections

4 years agoadd HAProxy configuration
Mathias Schuepany [Fri, 8 May 2015 17:05:06 +0000 (19:05 +0200)]
add HAProxy configuration

4 years agofix latex build (escape underscores in \emph)
Adi Kriegisch [Sun, 3 May 2015 11:07:05 +0000 (13:07 +0200)]
fix latex build (escape underscores in \emph)

4 years agoMerge pull request #100 from FireFart/changes
Aaron Zauner [Thu, 9 Apr 2015 07:41:12 +0000 (09:41 +0200)]
Merge pull request #100 from FireFart/changes

remove $host variable, add some tested versions

4 years agoMerge pull request #101 from sebix/tested-on-trusty
Aaron Zauner [Tue, 7 Apr 2015 09:47:45 +0000 (11:47 +0200)]
Merge pull request #101 from sebix/tested-on-trusty

tested exim, postfix, dovecot and lighttpd with ubuntu 14.04

4 years agoMerge pull request #103 from sebix/uncovered-sw
Aaron Zauner [Tue, 7 Apr 2015 09:47:04 +0000 (11:47 +0200)]
Merge pull request #103 from sebix/uncovered-sw

Uncovered software and more for further research

4 years agotested with ubuntu 14.04
Sebastian Wagner [Sun, 5 Apr 2015 19:28:54 +0000 (21:28 +0200)]
tested with ubuntu 14.04

4 years agoMerge pull request #104 from sebix/explain-postfix
Aaron Zauner [Tue, 7 Apr 2015 09:38:11 +0000 (11:38 +0200)]
Merge pull request #104 from sebix/explain-postfix

Explain postfix settings for s2s & s2c connections

4 years agoMerge pull request #102 from sebix/ignoretmp
Aaron Zauner [Tue, 7 Apr 2015 09:33:09 +0000 (11:33 +0200)]
Merge pull request #102 from sebix/ignoretmp

gitignore: ignore tempoary files *~

4 years agoExplain postfix settings for s2s & s2c connections
Sebastian Wagner [Mon, 6 Apr 2015 15:35:25 +0000 (17:35 +0200)]
Explain postfix settings for s2s & s2c connections

As discussed in BetterCrypto/Applied-Crypto-Hardening#97

4 years agoUncovered software and more for further research
Sebastian Wagner [Sun, 5 Apr 2015 20:15:12 +0000 (22:15 +0200)]
Uncovered software and more for further research

Added some applications to the list of uncovered software, mainly inspired by messages on the mailinglist
Removed some applications from the same list which are definitely not in the scope of this paper
And added a new section of uncovered software, with a short note on the reason

4 years agogitignore: ignore tempoary files *~
Sebastian Wagner [Sun, 5 Apr 2015 20:00:56 +0000 (22:00 +0200)]
gitignore: ignore tempoary files *~

4 years agofix undefined reference J_BLACKHAT
Christian Mehlmauer [Sun, 5 Apr 2015 08:09:21 +0000 (10:09 +0200)]
fix undefined reference J_BLACKHAT

4 years agochange nginx config to $server_name
Christian Mehlmauer [Sat, 4 Apr 2015 20:37:35 +0000 (22:37 +0200)]
change nginx config to $server_name

4 years agoDont use the $host variable in NGINX, it's user supplied data (HOST header)
Christian Mehlmauer [Mon, 30 Mar 2015 15:12:23 +0000 (17:12 +0200)]
Dont use the $host variable in NGINX, it's user supplied data (HOST header)

4 years agoadd OpenSSH tested version
Christian Mehlmauer [Mon, 30 Mar 2015 15:06:19 +0000 (17:06 +0200)]
add OpenSSH tested version

4 years agoIf there is a red line under it, check the speling.
Pepi Zawodsky [Mon, 30 Mar 2015 00:48:26 +0000 (02:48 +0200)]
If there is a red line under it, check the speling.

4 years agoadd picture back, but small
Aaron Kaplan [Sun, 29 Mar 2015 20:48:10 +0000 (22:48 +0200)]
add picture back, but small

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:45:12 +0000 (22:45 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoRevert "fix image"
Aaron Kaplan [Sun, 29 Mar 2015 20:44:56 +0000 (22:44 +0200)]
Revert "fix image"
Take Pepi's version

This reverts commit 05faee9d935736df4ebb9b03000eea99a1847861.

4 years agofix image
Aaron Kaplan [Sun, 29 Mar 2015 20:44:41 +0000 (22:44 +0200)]
fix image

4 years agoRemoved Klaus Landefeld picture. Corrected Logo Link for cover slide.
Pepi Zawodsky [Sun, 29 Mar 2015 20:41:35 +0000 (22:41 +0200)]
Removed Klaus Landefeld picture. Corrected Logo Link for cover slide.

4 years agooops
Aaron Kaplan [Sun, 29 Mar 2015 20:37:01 +0000 (22:37 +0200)]
oops

4 years agoMerge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening
Pepi Zawodsky [Sun, 29 Mar 2015 20:35:56 +0000 (22:35 +0200)]
Merge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening

4 years agoAdded Klaus Landefeld quote about End-to-End crypto.
Pepi Zawodsky [Sun, 29 Mar 2015 20:35:50 +0000 (22:35 +0200)]
Added Klaus Landefeld quote about End-to-End crypto.

4 years agoadd brainstorming slide
Aaron Kaplan [Sun, 29 Mar 2015 20:35:06 +0000 (22:35 +0200)]
add brainstorming slide

4 years agoclarify DANE
Aaron Kaplan [Sun, 29 Mar 2015 20:21:49 +0000 (22:21 +0200)]
clarify DANE

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:18:44 +0000 (22:18 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoremove some slides at the end
Aaron Kaplan [Sun, 29 Mar 2015 20:18:22 +0000 (22:18 +0200)]
remove some slides at the end

4 years agoRecommend OCSP stapling
Pepi Zawodsky [Sun, 29 Mar 2015 20:17:00 +0000 (22:17 +0200)]
Recommend OCSP stapling

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:14:00 +0000 (22:14 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoadd sslyze & screenshots
Aaron Kaplan [Sun, 29 Mar 2015 20:13:48 +0000 (22:13 +0200)]
add sslyze & screenshots

4 years agoAdded VM recommendation for RNGs and caveat for cipher strings.
Pepi Zawodsky [Sun, 29 Mar 2015 20:11:46 +0000 (22:11 +0200)]
Added VM recommendation for RNGs and caveat for cipher strings.

4 years agoless defensive status statement.
Pepi Zawodsky [Sun, 29 Mar 2015 20:02:31 +0000 (22:02 +0200)]
less defensive status statement.

4 years agoChanged filename of SSLLas screenshot so LaTeX will not be confused by extension...
Pepi Zawodsky [Sun, 29 Mar 2015 19:57:00 +0000 (21:57 +0200)]
Changed filename of SSLLas screenshot so LaTeX will not be confused by extension parsing.

4 years agoMerge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening
Pepi Zawodsky [Sun, 29 Mar 2015 19:47:55 +0000 (21:47 +0200)]
Merge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening

4 years agoUpdated Screenshot for SSLLabs. Disable RC4.
Pepi Zawodsky [Sun, 29 Mar 2015 19:47:48 +0000 (21:47 +0200)]
Updated Screenshot for SSLLabs. Disable RC4.