@ryanc @cR0w the wording of the ticket broke my brain. they want a trusted ca to give us a cert for their one ipv6 address they intend to reuse at multiple sites.
Notices by kajer (kajer@infosec.exchange)
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 04:24:46 JST kajer
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:59:04 JST kajer
@ryanc @cR0w LOL I just re-read the ticket...
ALL servers at ALL sites will use the SAME IPv6 address, so they only need the ONE certificate.
W T A F
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:57:56 JST kajer
@ryanc @cR0w i am not going to be enabling this request by giving them a trusted cert for an ipaddress. I doubt our CA will do it, but I'm not going to ask. They don't want any type of DNS, just the internal use IP.
Hi Digicert, can I get a trusted cert for 192.168.1.1 please?
Hi Digicert, can I get a trusted cert for 2001:db8::1 please?
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:45:56 JST kajer
@ryanc @cR0w I am tempted attempt a shellshock to get this... But certificate parsing is probably secure enough to prevent this... right? RIGHT?
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:38:33 JST kajer
@ryanc @cR0w oh thats right... chrome, owning the majority browser market, gets to do what they want regardless of rules because what are you going to do about it?
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:32:53 JST kajer
@ryanc @cR0w lol @ryanc reading dcoumentation smells like a CVE in the pipeline
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:31:15 JST kajer
@ryanc @cR0w I found the same thing. I refuse out of principal. I know I work at a startup and a level of jank is involved... But damn.
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:24:45 JST kajer
@ryanc @cR0w I have seen blursed certs with entire /24s for IPv4 stuffed in the subj-alt names... I just dont want to do this... for v4 or v6
fucking use DNS for your shit
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:21:40 JST kajer
@cR0w @ryanc I'll need a cert that covers FD8C::/8 if these people fuckers I work with have anything to say about it... If I give them 1, they will want all 16 trillion 1,329,227,995,784,915,872,903,807,060,280,344,576.
Maybe there is a way to fuck with how certs are parsed like using [FD8C::/8] as a DNS name?
I don't know. That ticket will probably sit in my queue until the day I quit, and many years thereafter.
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:02:14 JST kajer
today's first ticket:
We need this RFC4193 IPv6 address to use a certificate from the company's openssl CA
You want openssl to give us a trusted cert for a non-routed IPv6 address?!
lol, what a week
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:02:13 JST kajer
@cR0w do wildcard certs apply to 192.168/16 address too? How about a wildcard for 10/8 ?
sign me up!
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 20-Mar-2025 03:02:12 JST kajer
@cR0w I'm tempted to call on @ryanc to do stupid certificate things just for fun
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 18-Mar-2025 18:04:31 JST kajer
@cR0w I got a free nest mini I still use as a voice announcer box for my home assistant instance. The condition of using it is neutering the microphone MEMS on the board. There were 3 microphones on the board that I cut the traces to.
The placebo switch for disabling the microphone traces directly to the CPU, so call me skeptical that it actually did anything in regards to muting the microphones
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 18-Mar-2025 07:04:56 JST kajer
@tk I wish double DIN was still a standard. The aftermarket headunit market was insane in the late 90s
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 18-Mar-2025 03:08:08 JST kajer
I had a thread about cloudflare having too much power the other week... Seems like it aged well. 🤦♂️
Cloudflare is a MITM provider. Companies paid for this.
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Thursday, 27-Feb-2025 10:38:40 JST kajer
@mozillaofficial right now
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 25-Feb-2025 09:13:50 JST kajer
@elfin @feld @mkljczk EFNET is dead. I have been idle in the neg9 room for years, only ever seeing chanfix do it's thing. :(
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 25-Feb-2025 08:54:22 JST kajer
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 25-Feb-2025 08:51:48 JST kajer
@feld @elfin @mkljczk Point being, just because I choose to use WaterFox, doesn't mean Cloudflare determines how much of the internet I get to see.
-
Embed this notice
kajer (kajer@infosec.exchange)'s status on Tuesday, 25-Feb-2025 08:41:44 JST kajer
@feld @elfin @mkljczk Right, so I'll just replace my wget script's agent with safari/chrome and bypass the whole charade, making the user agent field a farce