Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

#cryptostorm IRC cert needs an update

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

#cryptostorm IRC cert needs an update

Postby Pattern_Juggled » Fri Mar 18, 2016 9:28 am

Ohai, it has come to our attention that the current ssl certificate for our IRC chatroom has outlived its expiry date.

Specifically, here's the PEM-encoded version of the current cert:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRAMQhOpL810Yv5/Zpo8tWLEkwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUwMTIwMDAwMDAwWhcNMTYwMTIwMjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRsw
GQYDVQQDExJ3d3cuY3J5cHRvc3Rvcm0uaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDEL3wURN59oW8NW8PSYiWZyJbXqodys9rvhkuCRkGRt7/K/laI
INqx5VK+koLp+iqW22SOdvejYYL9tpcjt4DZZ2aGF/x0kmKfw9iu61+VCJx1WYRG
VhAGxCx5kHebkDZUvINIjm0MIP/NeL/76bsG8OUmuZQ0YBdJ8Cvc6b2OVEkGU99z
FWdkTm6xEpTfS9defs7OVBLrP08PUaGErj3KUT7cvpT5wqXo0/v2S9Cux59WpXRb
5jW4VYmnRqJ8nX2+Yv84+QPy6AAjumIZVTfW5vRRpFe3LsKefxyPdeelrWjF565H
p/RZAkbq54AuKkbyaPAi8NYhNEmkrROfVH/1AgMBAAGjggHfMIIB2zAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUZHMCJ7O3N16EkAH1
NvWgTRpdo1UwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMC0GA1UdEQQmMCSC
End3dy5jcnlwdG9zdG9ybS5pc4IOY3J5cHRvc3Rvcm0uaXMwDQYJKoZIhvcNAQEL
BQADggEBABY+7Su6jV9/1oV+RfrYwRVWyM3Dt0a5O5QMF1GqeJ/XagfDKwpJR4OU
KgDNABKS2j809ztiWfsKL+PAIxRpK4RmCfiAjfSRKWNKBvrM+vbzqKDA+h00lBcp
mZlavX/9IgJmsIruWL/P1KaSl0ebhX3jjYbw8qMKEzRkCHoIZK52Oh9MmzJU7t03
Fg9u9Ci8JgicvODK7jQTwri8IdSCorBNHhmU4xjwqKelwt6lDKV604FBUZdzZp2U
TbCA03+jejfb9dNKlAUgEFYrXH/UMzZCwgrInzXiScaQUxn4JGpJpI7ltfJA821J
qNt64AKoQe53hDyuoHdKCdSXeBtWGtE=
-----END CERTIFICATE-----



That encoding expands, more or less (depending on the parser used, and so on, because x.509 is endlessly entertaining), to this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:21:3a:92:fc:d7:46:2f:e7:f6:69:a3:cb:56:2c:49
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Jan 20 00:00:00 2015 GMT
Not After : Jan 20 23:59:59 2016 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.cryptostorm.is
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:2f:7c:14:44:de:7d:a1:6f:0d:5b:c3:d2:62:
25:99:c8:96:d7:aa:87:72:b3:da:ef:86:4b:82:46:
41:91:b7:bf:ca:fe:56:88:20:da:b1:e5:52:be:92:
82:e9:fa:2a:96:db:64:8e:76:f7:a3:61:82:fd:b6:
97:23:b7:80:d9:67:66:86:17:fc:74:92:62:9f:c3:
d8:ae:eb:5f:95:08:9c:75:59:84:46:56:10:06:c4:
2c:79:90:77:9b:90:36:54:bc:83:48:8e:6d:0c:20:
ff:cd:78:bf:fb:e9:bb:06:f0:e5:26:b9:94:34:60:
17:49:f0:2b:dc:e9:bd:8e:54:49:06:53:df:73:15:
67:64:4e:6e:b1:12:94:df:4b:d7:5e:7e:ce:ce:54:
12:eb:3f:4f:0f:51:a1:84:ae:3d:ca:51:3e:dc:be:
94:f9:c2:a5:e8:d3:fb:f6:4b:d0:ae:c7:9f:56:a5:
74:5b:e6:35:b8:55:89:a7:46:a2:7c:9d:7d:be:62:
ff:38:f9:03:f2:e8:00:23:ba:62:19:55:37:d6:e6:
f4:51:a4:57:b7:2e:c2:9e:7f:1c:8f:75:e7:a5:ad:
68:c5:e7:ae:47:a7:f4:59:02:46:ea:e7:80:2e:2a:
46:f2:68:f0:22:f0:d6:21:34:49:a4:ad:13:9f:54:
7f:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
64:73:02:27:B3:B7:37:5E:84:90:01:F5:36:F5:A0:4D:1A:5D:A3:55
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:www.cryptostorm.is, DNS:cryptostorm.is
Signature Algorithm: sha256WithRSAEncryption
16:3e:ed:2b:ba:8d:5f:7f:d6:85:7e:45:fa:d8:c1:15:56:c8:
cd:c3:b7:46:b9:3b:94:0c:17:51:aa:78:9f:d7:6a:07:c3:2b:
0a:49:47:83:94:2a:00:cd:00:12:92:da:3f:34:f7:3b:62:59:
fb:0a:2f:e3:c0:23:14:69:2b:84:66:09:f8:80:8d:f4:91:29:
63:4a:06:fa:cc:fa:f6:f3:a8:a0:c0:fa:1d:34:94:17:29:99:
99:5a:bd:7f:fd:22:02:66:b0:8a:ee:58:bf:cf:d4:a6:92:97:
47:9b:85:7d:e3:8d:86:f0:f2:a3:0a:13:34:64:08:7a:08:64:
ae:76:3a:1f:4c:9b:32:54:ee:dd:37:16:0f:6e:f4:28:bc:26:
08:9c:bc:e0:ca:ee:34:13:c2:b8:bc:21:d4:82:a2:b0:4d:1e:
19:94:e3:18:f0:a8:a7:a5:c2:de:a5:0c:a5:7a:d3:81:41:51:
97:73:66:9d:94:4d:b0:80:d3:7f:a3:7a:37:db:f5:d3:4a:94:
05:20:10:56:2b:5c:7f:d4:33:36:42:c2:0a:c8:9f:35:e2:49:
c6:90:53:19:f8:24:6a:49:a4:8e:e5:b5:f2:40:f3:6d:49:a8:
db:7a:e0:02:a8:41:ee:77:84:3c:ae:a0:77:4a:09:d4:97:78:
1b:56:1a:d1


The juicy bits (in current context) are:

Validity
Not Before: Jan 20 00:00:00 2015 GMT
Not After : Jan 20 23:59:59 2016 GMT


Whoops. So, we'll get a new cert spun up. Likely it'll be conventional... though I'd love to make a keychain'd one since it's something folks will want to do manual verification of (more of than when certs are used in, say, web browsing sessions for example). Perhaps we'll do the conventional one asap, then loop back and get a fully keychained replacement ready as time allows.

Apologies for the oversight - certs are derpy enough, we don't need to add to that with stale derpy certs!

Cheers.

ps: yah, it'd be fun to make one of df's patented pem-tastic magic certs (like the katstorm.party one... but perhaps not the top priority for the team, in business terms. :lolno:
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Khariz
Posts: 160
Joined: Sun Jan 17, 2016 7:48 am

Re: #cryptostorm IRC cert needs an update

Postby Khariz » Fri Mar 18, 2016 8:46 pm

FYI:

AirVPN kindly pointed out that the cert at: https://resellers.cryptostorm.org is expired/broken as well.

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: wildcards, x.509, and the death of cool (or whatever)

Postby Pattern_Juggled » Sat Mar 19, 2016 2:24 pm

Khariz wrote:AirVPN kindly pointed out that the cert at: https://resellers.cryptostorm.org is expired/broken as well.


Without calling into question the profound - one might even go so far as to say, moving - kindness to be found in such an unstintingly selfless gesture, it does kind of leave one - even a kind one, such as I - with a nagging sense that possibly... just possibly, mind you, such a statement kind of hints at a lack of understanding of how certs actually work.

Kinda. :-P

You see, the cryptostorm.org cert throws those Scary Browser Warnings for subdomains of the underlying domain - cryptostorm.org, such as resellers.cryptostorm.org. Is that because subdomains are inherently a source of profound cryptographic instability and thus should be flagged nine ways 'till Sunday in hopes that any prospective visitors will with utmost alacrity run away, run away fast!

Err, actually no.

The only reason that specific subdomain - indeed, any of the subdomains some idiot has (against all sound advice) littered throughout this forum (that idiot is I) - throws that warning is because we're too cheap to buy the much-more-expensive "wildcard" cert from whatever CA is peddling cheap crypto credentials in the nearest virtual street-corner of late. Wildcard certs cover {whateverdubdomainyouwanttouse}.yourdomain.{coolTLD}, so resellers.cryptostorm.org would show up as perfectly safe with a wildcard cert.

With our bare-assed, cheapo cert we can only use cryptostorm.org (and any subdirectories we want, which have nothing to do with DNS or cert stuff whatsoever; see below for relevance). And usually one can sneak in some protocol-ish prefixes in a non-wildcard cert, such as www.cryptostorm.org, by listing them in the "Subject Alternative Name" section of the certificate (which is part of the wild, wild west that is the "extensions" part of the x.509 protocol, and not to put too fine a point on it, but ahoy... here be vulns!)... but not always, depending on the phase of the moon and whether the CA in question is really busy issuing rogue root certificates to national intelligence agencies and pretending they were "stolen" by lone-cub teenage skiddies - in which case you might be able to sneak in the full & lustily uncensored text of Janes Joyce's Finnegan's Wake (good stuff, btw), as a SAN entry, with not a moment's protest from the super-busy CA in question.

But you can't just stick subdomains in the SAN field, because that would lower CA rent-seeking oligopolistic profits. And also something something security - which is total nonsense, but obligatory to make it look like this isn't all just some ginned-up confidence game making a bunch of rich white guys noticeably richer without doing a damned thing to actually improve anyone's security. Well, it might improve their security since they can afford to buy whole armies of private mercenaries to fend off the starving masses of cryptographically desperate 99.9%ers. So there!

Err, I think things got away from me just a wee bit; apologies, sore subject - obviously.

(Incidentally, clever folks have engineered certificate party tricks like embedding entire mp4 video files in the extensions fields of "legitimate" certificates. Also: embedding whole certificates in the extensions field... all but requiring the standard "turtles all the way down" recursive reference. Insert memepic here. :-P ...basically as long as you can beg, borrow, or steal an OID from someone then you can blob into your cert's extensions fields whatever digital tomfoolery you can with a straight face claim is contained within the set of stuff defined by your OID... which oh by the way can be recursive, as well. Ouch.)

Right, anyway the point was supposed to be that wildcard certs cost, more or less, ten times as much as boring-assed standard certs (which nowadays you can get for free if you want; if memory serves, we paid about three-fiddy for the cert used here on this forum - not joking; that's the price. Certs are lol).

So, order of magnitude, a wildcard cert would cost about a hundred bucks. And, yes, for years we've (ok, pretty much just me cock-blocking this one, tbh) refused to pony up that hundred bucks and make the bogus Scary Browser Warnings go away forever (or at least until the bloody cert expires, and one must pay all over again) - choosing instead to burn lots of hours replying to understandably-nervous folks who visit the forum here and think (understandably) "wtf, these folks say they're all 'crypto 1337' and their ssl cert is fantastically broken; very n00b indeed." Not so! In the event, not proved to be so merely by the scary warnings associated with sobdomains of this particular discussion forum. Technically.

But it's not just because we are (read: I am) annoyingly stubborn and lack the grace to admit when I was stupid and that we just should have spend the damned hundred bucks and been done with it. Well ok, mostly it's that. Alot of it, anyway.

But wait... there's more! You see - and indeed, you do see if you've waded through this post all the way to this almost-ending part without giving up - the existence of these totally cryptographically bogus warnings provides me with the cherished opportunity to natter on about certificates, and x.509, and SAN fields, and OIDs, and such gibberish. Which, when you dig into it all, is both really important to actual security as people experience it on the actual internet... and is also totally fascinating and strange and a source of never-ending surprise and disgust and pure helpless rage. Not so often things like confidence and insight and deeper understanding... because all that was intentionally excised from the original x.509 RFPs back in the stone ages - and any new outbreaks of such healthy disorders in this particular dark corner of applied cryptography are ruthlessly and joylessly crushed to nonexistence. And fast.

Also: nowadays we just use subdirectory mappings - cryptostorm.org/resellers - instead of subdomains - resellers.cryptostorm.org (which, sure enough, if you click it, will throw a browser warning) - I think df even has some sort of script that hangs out somewhere and tries to make sure that the former are auto-mapped to the latter, in case some idiot (me) forgot to do so manually. Which happens. Too bad I didn't listen to him years ago, right?

Almost finally, we're pretty sure there's a clever way to use the convoluted syntax of the land of .htaccess to do on-the-fly redirects of subdomain URIs directly onto logically aligned subdirectories (or even specific, individual posts as specified by full URLs)... without giving browsers the time to realise what's going on and spurt out that ransomware-style "pay someone more munnies for no real benefit and you'll be so much safer - lol" message that makes this whole thing so demeaning and soul-deadening. Maybe someone smart in such fuckery will read this and grace us with her tl;dr solution to the problem - in which case, bless you, kind lady! - but speaking personally I read through some full-bore htaccess fuckery guides back whenever this whole thing started becoming A Thing of Concern... and those are days I will never, ever get back. And that is not a process I'm willing to repeat. Nope. Done with that, thanks. You can have your scary subdomain browser warnings - I'm not going back to that unhappy place, not without serious physical coercion being threatened. And even then, prolly not tbh. :shifty:

So it's all because I'm a dork... bot, right? Looks that way.

No! It's not my fault - it's all sad now because x.509 sucks dinosaur balls (do such things even exist - or did they exist back when there were living, extant, dinosaur-y critters from which they could enticingly hang?) and also Certification Authorities are a disgusting, money-grubbing, security-destroying racket. Because Comodo. That is all: because Comodo.

Sigh.

Also it's fun to talk about this stuff... but, as likely every reader punished by wading through this post has already long since realised - don't get me started! Really, you don't want to; I can go on, and on... and bloody on when it comes to cert sadness. Just ask my colleague Graze. Or anyone who has ever met me, basically. Yah, it's that bad. :mrgreen:

Funny aside: someday, someone is going to be so psychologically damaged by hearing me say this same thing for the 1 x 10(xxx) time, that she'll probably decide to fork out the hundred bucks for the wildcard cert and thereby finally make it stahp!

Which: fair enough. Except I might not install it, because stubborn.

j/k

(maybe)

Cheers.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Keychain All The Certz

Postby Pattern_Juggled » Sat Mar 19, 2016 3:23 pm

Also: I still want to KeyChain-cert this.

Badly.

It Shall Be Done. (but prolly not today, alas)

Cheers!
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Khariz
Posts: 160
Joined: Sun Jan 17, 2016 7:48 am

Re: #cryptostorm IRC cert needs an update

Postby Khariz » Sat Mar 19, 2016 9:00 pm

Haha, I missed you, PJ. That post was hilarious to read. I now Know twice as much as I used to know about certs and realize that I know nothing about them at all.

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: #cryptostorm IRC cert needs an update

Postby Pattern_Juggled » Sun Mar 20, 2016 7:57 am

Khariz wrote:I now know twice as much as I used to know about certs and realize that I know nothing about them at all.


I've been messing with x.509 certs as something more than merely sideline - as more of an admittedly unhealthy obsession - for a few years now... and your statement ("I now know twice as much as I used to know about certs and realize that I know nothing about them at all") actually works just as well for me as it does for you.

Much wisdom contained therein, there is :-P

Cheers.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: Yahoo [Bot] and 15 guests

Login