Aaron Kaplan [Mon, 20 Jan 2014 23:26:54 +0000 (00:26 +0100)]
Merge branch 'master' of github.com:sebix/Applied-Crypto-Hardening into sebix-master
Aaron Kaplan [Mon, 20 Jan 2014 23:23:52 +0000 (00:23 +0100)]
Revert "Updated make clean to prevent incorrect failures"
This reverts commit
4a5f09431ac311fd13a553e03cf534903467daee.
Aaron Kaplan [Mon, 20 Jan 2014 23:21:10 +0000 (00:21 +0100)]
notes
Aaron Kaplan [Mon, 20 Jan 2014 22:21:23 +0000 (23:21 +0100)]
Merge branch 'master' of https://git.bettercrypto.org/ach-master
Aaron Kaplan [Mon, 20 Jan 2014 22:21:11 +0000 (23:21 +0100)]
notes
Pepi Zawodsky [Mon, 20 Jan 2014 21:03:16 +0000 (22:03 +0100)]
Updated make clean to prevent incorrect failures
Aaron Kaplan [Mon, 20 Jan 2014 20:38:05 +0000 (21:38 +0100)]
notes
Aaron Kaplan [Mon, 20 Jan 2014 20:21:33 +0000 (21:21 +0100)]
keep notes
Aaron Kaplan [Mon, 20 Jan 2014 19:25:29 +0000 (20:25 +0100)]
don't forget things we said during the meeting. put it into TODO.md
Aaron Kaplan [Mon, 20 Jan 2014 18:53:16 +0000 (19:53 +0100)]
add feedback by Tobias pape
sebix [Mon, 20 Jan 2014 17:44:08 +0000 (18:44 +0100)]
Spell checking (used aspell, and dict.cc and wikipedia for reference)
sebix [Mon, 20 Jan 2014 17:41:57 +0000 (18:41 +0100)]
warning in SSH-section about connection problems (has also been requested on mailinglist)
sebix [Sat, 18 Jan 2014 21:22:06 +0000 (22:22 +0100)]
Adjusting listing box margin, was too for using texlive 2013, I had 2012
sebix [Fri, 17 Jan 2014 21:53:37 +0000 (22:53 +0100)]
Revert paragraphDiamond
sebix [Fri, 17 Jan 2014 11:02:48 +0000 (12:02 +0100)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
and adjust the LaTeX code
Conflicts:
src/practical_settings/mailserver.tex
src/practical_settings/vpn.tex
Aaron Zauner [Fri, 17 Jan 2014 10:09:05 +0000 (02:09 -0800)]
Merge pull request #46 from oglueck/master
add Openswan
Ortwin Glück [Thu, 16 Jan 2014 16:16:09 +0000 (17:16 +0100)]
add Openswan
cm [Thu, 16 Jan 2014 14:09:57 +0000 (15:09 +0100)]
postfix: docs are wrong, loglevel must be >= 1
sebix [Sat, 11 Jan 2014 21:43:03 +0000 (22:43 +0100)]
Add information on ECDH-params for lighttpd
sebix [Sat, 11 Jan 2014 21:41:58 +0000 (22:41 +0100)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sat, 11 Jan 2014 21:11:44 +0000 (22:11 +0100)]
minor change
Aaron Kaplan [Sat, 11 Jan 2014 21:10:33 +0000 (22:10 +0100)]
rename TODO.txt to TODO.md so that it is easier to read on github
sebix [Sat, 11 Jan 2014 21:03:56 +0000 (22:03 +0100)]
Correct merge Error: nginx: "as long as they are > 1024 bits"
sebix [Sat, 11 Jan 2014 20:24:55 +0000 (21:24 +0100)]
Merge remote-tracking branch 'upstream/master'
Aaron Kaplan [Sat, 11 Jan 2014 19:03:57 +0000 (20:03 +0100)]
Merge branch 'master' of https://git.bettercrypto.org/ach-master
Aaron Kaplan [Sat, 11 Jan 2014 19:03:35 +0000 (20:03 +0100)]
note about feedback: explain compression
sebix [Sat, 11 Jan 2014 18:07:07 +0000 (19:07 +0100)]
last small typographical corrections
paragraphs and empty lines
sebix [Sat, 11 Jan 2014 17:48:27 +0000 (18:48 +0100)]
PKI Self-Signing: add a command to create a cert and self-sign it
sebix [Sat, 11 Jan 2014 17:36:01 +0000 (18:36 +0100)]
use the order Tested > Settings > References everywhere, corrected
some typographic issues with paragraphDiamond and paragraph
sebix [Sat, 11 Jan 2014 17:20:45 +0000 (18:20 +0100)]
Use compact lists of mdwlist, save space
sebix [Sat, 11 Jan 2014 17:09:40 +0000 (18:09 +0100)]
Remove Heading (scrheadings), Aaron's wish
sebix [Sat, 11 Jan 2014 17:00:24 +0000 (18:00 +0100)]
Makefile: "make once" runs pdflatex once; .txt only removed if
existing (make otherwise throws an error)
sebix [Sat, 11 Jan 2014 16:57:13 +0000 (17:57 +0100)]
LaTeX-Code cleanup, syntax uniformed and correct typography, new
command: \paragraphDiamond{heading}
it makes a paragraph and afterwards displays a \diamond, should be
used when you need something below \subsubsection. It is more
space-saving than \paragraph{heading}\mbox{}\\
sebix [Sat, 11 Jan 2014 14:05:35 +0000 (15:05 +0100)]
Use UTF-8 for umlauts, copying them out of the PDF does now work,
corrected some HTML-Umlauts
sebix [Sat, 11 Jan 2014 13:54:28 +0000 (14:54 +0100)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Conflicts:
src/acknowledgements.tex
src/applied-crypto-hardening.tex
src/cipherStringB.txt
src/disclaimer.tex
src/perlify.pl
src/practical_settings.tex
src/practical_settings/DBs.tex
src/practical_settings/GPG.tex
src/practical_settings/im.tex
src/practical_settings/mailserver.tex
src/practical_settings/ssh.tex
src/practical_settings/vpn.tex
src/practical_settings/webserver.tex
src/reviewers.tex
Pepi Zawodsky [Fri, 10 Jan 2014 18:39:17 +0000 (19:39 +0100)]
Added very experimental TXT export
Pepi Zawodsky [Fri, 10 Jan 2014 18:38:11 +0000 (19:38 +0100)]
Added a tools to check for mixed SSL on your website
Aaron Kaplan [Thu, 9 Jan 2014 14:51:36 +0000 (15:51 +0100)]
correction for F.Mendel's association: it is A-Sit and IAIK.
Aaron Zauner [Wed, 8 Jan 2014 20:01:12 +0000 (12:01 -0800)]
Merge pull request #44 from mathisdt/master
added tested versions and harmonized references to Debian Versions
Mathis Dirksen-Thedens [Wed, 8 Jan 2014 18:32:14 +0000 (19:32 +0100)]
added tested versions and harmonized references to Debian Versions (Wheezy makes more sense than 7.0 or 7.3)
Aaron Kaplan [Tue, 7 Jan 2014 23:15:18 +0000 (00:15 +0100)]
the last _ fix did not fix it. Add a \url and escape #
Adi Kriegisch [Tue, 7 Jan 2014 22:11:16 +0000 (23:11 +0100)]
fixed underscore in url
Adi Kriegisch [Tue, 7 Jan 2014 22:08:04 +0000 (23:08 +0100)]
added todo to lighttpd (ec curve selection and dh parameters file)
Aaron Kaplan [Tue, 7 Jan 2014 22:05:18 +0000 (23:05 +0100)]
DBs.tex still had a hardcoded cipherstring B text and no @@@CIPHERSTRINGB@@@ macro!
This was wrong. If we decide to use cipherstring B everywhere, then we need to also do it here.
Aaron Kaplan [Tue, 7 Jan 2014 21:57:27 +0000 (22:57 +0100)]
RNGs.tex already had moved to src/theory/ . Remove outdated version in src/
Aaron Kaplan [Tue, 7 Jan 2014 21:36:08 +0000 (22:36 +0100)]
remember topics we said in the meeting
Aaron Zauner [Tue, 7 Jan 2014 20:36:18 +0000 (21:36 +0100)]
fix intendation in openssh section
Aaron Zauner [Tue, 7 Jan 2014 20:18:37 +0000 (21:18 +0100)]
add openssh section for debian wheezy/openssh6.0
Aaron Zauner [Tue, 7 Jan 2014 19:50:56 +0000 (11:50 -0800)]
Merge pull request #43 from ax3l/fix-openSSH64kex
Remove curve25519-sha256@libssh.org for now
Axel Huebl [Tue, 7 Jan 2014 19:41:26 +0000 (20:41 +0100)]
Remove curve25519-sha256@libssh.org for now
It did not make it in the last OpenSSH release,
we will re-add it with the next release, together with
chacha20-poly1305@openssh.com, ssh-
ed25519,
ssh-
ed25519-cert-v01@openssh.com and others.
Aaron Zauner [Tue, 7 Jan 2014 19:27:40 +0000 (11:27 -0800)]
Merge pull request #39 from fxkr/openssh-permitrootlogin-without-password
openssh: PermitRootLogin: no -> without-password
Aaron Kaplan [Tue, 7 Jan 2014 19:03:27 +0000 (20:03 +0100)]
LaTeX comment on how to remove the draft watermark
Adi Kriegisch [Tue, 7 Jan 2014 19:00:06 +0000 (20:00 +0100)]
updated/fixed keylength recommendations based on Ecrypt Paper
Aaron Zauner [Tue, 7 Jan 2014 18:57:38 +0000 (19:57 +0100)]
add IACR cryptoDB BibTeX entries for ALL THE PUBLICATIONS!
Aaron Kaplan [Tue, 7 Jan 2014 18:55:02 +0000 (19:55 +0100)]
forgot to commit a comment in TODO.txt
Aaron Kaplan [Tue, 7 Jan 2014 18:54:46 +0000 (19:54 +0100)]
Merge branch 'krono/draft-enhanchement' of https://github.com/krono/Applied-Crypto-Hardening
Aaron Kaplan [Tue, 7 Jan 2014 18:45:39 +0000 (19:45 +0100)]
Re-enable SRP.
Reasoning:
1) feedback on the mailing lists requested removal of "!SRP".
2) first of all, sysadmins need to configure SRP manually anyway.
This means, disabling SRP in our cipher string will just lock it out anyway but not specifiying SRP will not disable it for an already configured SRP system
3) SRP seems to be a good protocol
Relevant mailing list posts:
http://lists.cert.at/pipermail/ach/2013-December/thread.html#616
Aaron Zauner [Tue, 7 Jan 2014 18:35:37 +0000 (19:35 +0100)]
add howmyssl.com
Aaron Kaplan [Tue, 7 Jan 2014 17:21:21 +0000 (18:21 +0100)]
rename
Aaron Kaplan [Tue, 7 Jan 2014 17:05:36 +0000 (18:05 +0100)]
collect more feedback
Aaron Kaplan [Tue, 7 Jan 2014 16:28:42 +0000 (17:28 +0100)]
update feedback list
Aaron Kaplan [Tue, 7 Jan 2014 16:27:38 +0000 (17:27 +0100)]
feedback on 2k RSA keys
Aaron Kaplan [Tue, 7 Jan 2014 15:26:14 +0000 (16:26 +0100)]
properly reference the debian howto on PGP settings
Aaron Kaplan [Tue, 7 Jan 2014 15:00:59 +0000 (16:00 +0100)]
try to find the most important points
Aaron Kaplan [Tue, 7 Jan 2014 14:46:43 +0000 (15:46 +0100)]
list feedback items which must be reviewed
Aaron Kaplan [Tue, 7 Jan 2014 14:40:12 +0000 (15:40 +0100)]
place to collect feedback
Tobias Pape [Tue, 7 Jan 2014 14:28:23 +0000 (15:28 +0100)]
Re-enable draft
Tobias Pape [Tue, 7 Jan 2014 14:21:56 +0000 (15:21 +0100)]
Revert "Revert "Merge pull request #36 from krono/krono/draft-enhanchement""
This reverts commit
be7a9f46ca468be59644fc770ed01015f4c2042c.
Aaron Kaplan [Tue, 7 Jan 2014 12:28:24 +0000 (13:28 +0100)]
Merge branch 'master' of https://git.bettercrypto.org/ach-master
merge of a conflict. @Azet: please always - when pulling in change requests from github.com - also sync these against the main repo.
(git push origin master)
Thanks :)
Conflicts:
src/practical_settings/ssh.tex
Felix Kaiser [Mon, 6 Jan 2014 14:50:03 +0000 (15:50 +0100)]
openssh: PermitRootLogin: without-password comment
It's useful, but we still default to the more secure "no".
Aaron Zauner [Mon, 6 Jan 2014 15:32:09 +0000 (07:32 -0800)]
Merge pull request #38 from fxkr/readme--reviewers.tex-was-renamed
readme/faq: reviewers.tex -> acknowledgements.tex
Felix Kaiser [Mon, 6 Jan 2014 14:45:30 +0000 (15:45 +0100)]
readme/faq: reviewers.tex -> acknowledgements.tex
Aaron Zauner [Sun, 5 Jan 2014 22:18:55 +0000 (23:18 +0100)]
no OpenSSH upstream support of DJB curves as of today
Aaron Zauner [Sun, 5 Jan 2014 20:28:45 +0000 (12:28 -0800)]
Merge pull request #32 from ax3l/ssh-moreEtmMacs
SSHd: add ETM MACs for SHA2
Axel Huebl [Sun, 5 Jan 2014 20:16:25 +0000 (21:16 +0100)]
Only advertise OpenSSH 6.4
GCM, UMAC and ETM added in 6.2, but due to a memory corruption vulnerability
in 6.2 and 6.3 by an insecure GCM implementation
http://www.openssh.com/txt/gcmrekey.adv
we only recommend OpenSSH 6.4+
http://www.openssh.com/txt/release-6.4
Axel Huebl [Sun, 5 Jan 2014 20:01:30 +0000 (21:01 +0100)]
ETM for SSH2 was introduced in OpenSSH 6.2
I tested the settings for OpenSSH 6.4.
Release log for OpenSSH 6.2: http://www.openssh.com/txt/release-6.2
Axel Huebl [Sun, 5 Jan 2014 19:42:54 +0000 (20:42 +0100)]
Remove aes-192 for now
Aaron Zauner [Sun, 5 Jan 2014 19:33:14 +0000 (11:33 -0800)]
Merge pull request #37 from Intichar/master
Minor changes in IOS section
Axel Huebl [Sun, 5 Jan 2014 10:53:48 +0000 (11:53 +0100)]
Remove AllowUsers
Too specific. Thanks to @azet for the feedback!
Axel Huebl [Sun, 5 Jan 2014 00:04:25 +0000 (01:04 +0100)]
Add intermediate aes192-ctr
Won't harm and increases available ciphers
Axel Huebl [Sat, 4 Jan 2014 23:58:18 +0000 (00:58 +0100)]
spaces -> tabs
Axel Huebl [Sat, 4 Jan 2014 23:46:55 +0000 (00:46 +0100)]
Optional: Whitelist static users for login
Quite conservative but useful for systems with a very limited number
of allowed system users for SSH.
Axel Huebl [Sat, 4 Jan 2014 23:41:54 +0000 (00:41 +0100)]
Tested with OpenSSH 6.4, too
Eva Seidl [Sat, 4 Jan 2014 22:17:49 +0000 (23:17 +0100)]
more space between text and footnotes
Aaron Kaplan [Sat, 4 Jan 2014 19:08:20 +0000 (20:08 +0100)]
Revert "Merge pull request #36 from krono/krono/draft-enhanchement"
This reverts commit
76b22bb473e0f089fcd78159af74f3226b9be089, reversing
changes made to
a3b6a5dffd72b739b98b8c9c0ead5793ab747479.
Reason:
oops, wait... I see some problems:
1) the header on the top of each page always says "Contents" (no matter which chapter it is)
2) the draft git version in the footer disappeared
3) I actually don't see a bitmap.
Sorry, reverting for now...
Axel Huebl [Sat, 4 Jan 2014 19:00:12 +0000 (20:00 +0100)]
Should really learn the alphabet...
Axel Huebl [Sat, 4 Jan 2014 18:59:00 +0000 (19:59 +0100)]
Added myself to the reviewers list
AaronK [Sat, 4 Jan 2014 18:57:21 +0000 (10:57 -0800)]
Merge pull request #36 from krono/krono/draft-enhanchement
Change Draft-mark handling
Aaron Zauner [Sat, 4 Jan 2014 16:30:24 +0000 (08:30 -0800)]
Merge pull request #33 from ax3l/apache2-notefix
Confusion: EECDH+Cipher and stated "omit ECDHE"
Intichar [Sat, 4 Jan 2014 10:14:06 +0000 (11:14 +0100)]
Minor changes in IOS section
4096 bit rsa keys, corrected "404" link @ cisco homepage
Tobias Pape [Fri, 3 Jan 2014 19:08:42 +0000 (20:08 +0100)]
Change Draft-mark handling
1. Replace textual mark by whole-page bitmapped image.
This is necessary to avoid accidental selection of the mark
when copy&paste-ing from the document.
2. Add a draft-indicator at bottom and top of the page.
Eventually, we can:
1. Remove the watermark altogether
2. Remove the draft-info from the normal page footer.
Aaron Kaplan [Fri, 3 Jan 2014 15:29:22 +0000 (16:29 +0100)]
remove the draft across the document, since it is a problem with copy & paste
AaronK [Fri, 3 Jan 2014 15:17:23 +0000 (07:17 -0800)]
Merge pull request #35 from Ardobras/master
lighttpd config fix
Ardobras [Fri, 3 Jan 2014 14:02:10 +0000 (15:02 +0100)]
lighttpd config fix
just ran across this small typo. either this or the curly bracket below should be removed to keep it c&p able. keep up the good work!
Aaron Kaplan [Fri, 3 Jan 2014 13:19:37 +0000 (14:19 +0100)]
remember to update the webserver config (and document it ;-)
Axel Huebl [Fri, 3 Jan 2014 01:13:40 +0000 (02:13 +0100)]
Did you mean EECDH here?
EECDH and ECDHE are synonyms
https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html
but writing "you can omit all ciphers starting with ECDHE" and only
listing ciphers starting with "EECDH" will confuse the reader.
Axel Huebl [Fri, 3 Jan 2014 00:25:28 +0000 (01:25 +0100)]
SSHd: add ETM MACs for SHA2
Should be in since 6.1 (but tested with OpenSSH 6.4).
AaronK [Thu, 2 Jan 2014 21:56:35 +0000 (13:56 -0800)]
Merge pull request #31 from ax3l/external-links
External links
AaronK [Thu, 2 Jan 2014 21:55:01 +0000 (13:55 -0800)]
Merge pull request #30 from ax3l/text-apachehttps
Replace httpS with bold s as in #22 for nginx
Aaron Zauner [Thu, 2 Jan 2014 18:29:46 +0000 (19:29 +0100)]
removed line vty stuff in ASA (thanks mario zabrocki)