Tag Archives: tls

微軟預定在 2017 年的西洋情人節淘汰 SHA-1 certificate

經過多次改動後,微軟這次宣佈 SHA-1 certificate 將在明年淘汰:「SHA-1 deprecation countdown」。 影響的範圍包括 Internet Explorer 11 與 Microsoft Edge,在 2017 年 2 月 14 日之後不信任 SHA-1 certificate: Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a … Continue reading

Posted in Browser, Computer, IE, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , , | Leave a comment

Google 測試 CECPQ1 的一些資料...

七月的時候提到「Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography」,剛剛看到 Adam Langley 寫了一些數據出來:「CECPQ1 results」。 目前看起來對於網路速度不快的使用者會影響比較大,最慢的 5% 使用者大約慢了 20ms,最慢的 1% 使用者會慢 150ms: Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest … Continue reading

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Software, WWW | Tagged , , , , , , , , , , , , , , | Leave a comment

Mozilla 也在考慮對 Certificate Transparency 的掌握度

由於 Firefox 要支援 Certificate Transparency 的緣故,在「Mozilla CT Policy」這邊 Mozilla 在討論要建立自己的 CT policy 以及自己的架構: CT is coming to Firefox. As part of that, Mozilla needs to have a set of CT policies surrounding how that will work. Like our root inclusion … Continue reading

Posted in Browser, Computer, Firefox, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , , | Leave a comment

Google Chrome 將在 2017 的 56 版停止支援 SHA-1 SSL Certificate

在明年一月的 Google Chrome 56 將會停止支援 SHA-1 SSL Certificate:「SHA-1 Certificates in Chrome」,唯一的例外是自己建立的 CA,主要是給企業內部用的: Starting with Chrome 54 we provide the EnableSha1ForLocalAnchors policy that allows certificates which chain to a locally installed trust anchor to be used after support has otherwise been … Continue reading

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , | Leave a comment

Google Chrome 也宣佈不信任 WoSign + StartCom 的計畫

Google Chrome 也公開了對 WoSign + StartCom 的計畫:「Distrusting WoSign and StartCom Certificates」。 由於大家遇到的技術問題都一樣 (之前發出的量太大,無法窮舉表列出來),所以處理的方法也類似於 Mozilla 的作法,只信任 2016/10/21 前發出的 certificate: Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Google Chrome … Continue reading

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , | 1 Comment

Let's Encrypt 支援 IDN

Let's Encrypt 宣佈支援 IDN:「Introducing Internationalized Domain Name (IDN) Support」,這代表可以申請的範圍變得更廣了: This means that our users around the world can now get free Let’s Encrypt certificates for domains containing characters outside of the ASCII set, which is built primarily for the English … Continue reading

Posted in Computer, DNS, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , , | Leave a comment

QUIC 的進展

在「New Work in Seoul」這邊看到 QUIC 的消息: The QUIC working group has just been chartered, and will meet for the first time in Seoul. This working group is taking Google’s pre-standardization QUIC protocol that has been deployed in production for several … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , | Leave a comment

Alpine Linux 決定將 OpenSSL 換成 LibreSSL

之前看到 Alpine Linux 是從 Docker 這邊看到的,可以弄出還蠻小巧的 image... 前幾天看到他們宣佈打算將 OpenSSL 換掉,換成 LibreSSL:「[alpine-devel] Alpine edge has switched to libressl」。而且理由也講的頗直接,覺得 OpenSSL 的改善速度還是不滿意,而且市場上有其他還不錯的方案可以選: While OpenSSL is trying to fix the broken code, libressl has simply removed it. 這樣 LibreSSL 又多了生力軍,之前比較大的應該只有 OpenBSD...

Posted in Computer, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , | Leave a comment

Mozilla 對於 WoSign + StartCom 根憑證的新發展:拔除

Okay,在 Mozilla 的人跟 WoSign + StartCom + 360 的人談過後有了新的進展。 幾個小時前 Mozilla 提了新版的草案出來 (對,還是草案):「Remediation Plan for WoSign and StartCom」。但由於 Kathleen Wilson 跟 Gervase Markham 都沒有太多意見,我猜這應該會接近定案了。 這次的處分草案由 Kathleen Wilson 發出來,會包括這些 root certificate,可以看到包括了所有 WoSign 與 StartCom 的 CA: 1) Subject: CN=CA 沃通根证书, OU=null, … Continue reading

Posted in Browser, Computer, Firefox, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , , , , , , , , , | 1 Comment

另外一套用 shell script 寫的 ACME client (或者說 Let's Encrypt client)

acme.sh 是另外一套用 shell script 寫的 ACME client,由西安的 Neilpang 寫的。我也包成 Ubuntu PPA 了:「PPA for acme.sh」。 我建議的用法是先建立 /etc/acme.sh,把各種設定都放到這個目錄裡面,然後用這樣的指令執行: $ sudo acme.sh --issue -d www.example.com -w /srv/www.example.com/webroot/ --home /etc/acme.sh/ 不過 acme.sh 有個問題,沒有將檔案與目錄權限處理好... 我申請完後發現目錄是 drwxr-xr-x,而 key 是 -rwxr-xr-x,這樣會有安全性的問題,需要自己再修改。

Posted in Computer, Murmuring, Network, Security, Software | Tagged , , , , , , , , , , , , , | 1 Comment