https support in forum

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

https support in forum

Postby Construx » Fri Jul 05, 2013 6:04 pm

Many of the links I have seen at search engines leading to this website indicate https. For example, https://forums.grsecurity.net/viewtopic.php?t=1775. However, clicking these links fails to work because the website does not appear to support only http, not https, at least that is how it appears to my browser. Is that a known issue, or is my browser functioning strangely?
Construx
 
Posts: 25
Joined: Tue Jul 02, 2013 7:27 pm

Re: https support in forum

Postby GBit » Fri Jul 05, 2013 9:07 pm

Something's wrong with your browser/ system. Works fine here with HTTPS.
GBit
 
Posts: 81
Joined: Mon Jun 04, 2012 3:31 pm

Re: https support in forum

Postby Construx » Fri Jul 05, 2013 11:42 pm

Thanks for your reply. I will have to take a look at this issue as time allows. It seems quite odd in that I do not seem to be having this problem occur elsewhere, at least not that I have noticed. Very odd. :o
Construx
 
Posts: 25
Joined: Tue Jul 02, 2013 7:27 pm

Re: https support in forum

Postby Construx » Sat Jul 06, 2013 12:30 pm

For now I have found that this problem does not happen when I use Firefox to access the forum, but it does happen when I use Internet Explorer 10 on its default settings for the high security levels to which I have it set normally. So, it seems to me that there must be something incompatible between IE's default settings at this level and the website itself. I would have to fiddle with it more to determine more precisely which of them. This is surely an odd incident because I do not see it happening elsewhere, and normally I do check for such things whenever I would encounter a problem like this.
Construx
 
Posts: 25
Joined: Tue Jul 02, 2013 7:27 pm

Re: https support in forum

Postby spender » Mon Jul 08, 2013 7:46 am

Since supporting SSL for the website two years ago or so, I've forced the use of an SSL ciphersuite that supports PFS. Unfortunately, Internet Explorer does not support that ciphersuite (see: http://news.netcraft.com/archives/2013/ ... orrow.html).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: https support in forum

Postby timbgo » Mon Jul 08, 2013 7:55 am

Yeah, you're still half-M$ user, I see. Pls. allow my goodhearted banter.
Anyways, you're opening lots of new topics, and it's not always stuff unrelated to previous topic you opened...
I'd like better you keep to some of them in same topic, not splitting them, but it's not an issue to me, I don't mind.
Like I said in the post which I kinda took over from you, glad you manage to patch and install grsec in Debian!
Lots of man pages, lots of steep learning experience ahead for you, but it'll be worth every minute, if you persevere!
Wish you a good GNU/Llinuxing life, bro!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: https support in forum

Postby KDE » Mon Jul 08, 2013 7:59 am

It seems server doesn't support latest encryption protocols (TLS 1.1 and TLS 1.2) and doesn't mitigate BEAST attack
https://www.ssllabs.com/ssltest/analyze ... Results=on
KDE
 
Posts: 57
Joined: Sat Feb 09, 2008 5:29 am

Re: https support in forum

Postby Construx » Mon Jul 08, 2013 9:43 am

Thank you for clarifying the cause of this problem so that I do not spend more time looking under rocks for something that just "ain't there."

I have no complaint about the use of a secure method because I can use either browser easily enough. At the same time, I live and work in a diverse environment, and I personally prefer to make use of IE whenever possible. So, I was wondering, having read the information from the link you gave, whether there is a way for me to affect the preference of choice of cipher suites in IE 10, as this implies may be possible: "The use of PFS is dependent on the negotiation between the browser and the web site successfully agreeing on a PFS cipher suite." Since there appears to be some, albeit small, support for PFS available to it, "... only a tiny fraction of Internet Explorer's SSL connections operated with PFS", specifically, "IE does support DHE-DSS-AES256-SHA, which uses the rarer DSS authentication method," the IE browsers ability to connect with a particular site using this kind of SSL would appear to depend on the manner of preferences made in a webserver's configuration.

If I understood that information perfectly, it would appear that your website has the ultimate say as to which method is available but that it might have some leeway among alternatives if more than one cipher is built in. In other words, if your site supports, among others, the cipher suite, i.e., DHE-DSS-AES256-SHA, and if I can affect IE's choice of preferences, it seems to me, it would be possible to effect this connection with SSL in IE. So, there are two questions: one concerning your site's list of suites, and the other concerning IE's control of preferences of cipher suites.
Construx
 
Posts: 25
Joined: Tue Jul 02, 2013 7:27 pm

Re: https support in forum

Postby timbgo » Mon Jul 08, 2013 12:05 pm

Construx wrote:..

...prefer to make use of IE whenever possible...

If I understood that information perfectly, it would appear that your website has the ultimate say as to which method is available but that it might have some leeway among alternatives if more than one cipher is built in...



First, sorry for my jumping to conclusion, wrongly, that you were a newbie in Linux. What cannot be sufficient indication, but made me jump that way, was that it was your first kernel compile, as you stated yourself that it was... My apologies!

But, on the other hand, even though I don't hate either M$ or their products, I still do consider them little good and lots of deceit, harm, plunder and ruin to others and themselvees, under a little shine and glitter that is for those who get the truth underneath the appearances, not beautiful but toxic.
Everybody is entitled to their own views, and even to like M$, just like I am to spell them M$ and not Microsoft.

I would like, though, to draw attention to what I should have referenced in some of the pages I wrote here earlier, but I am now a little worn out to add anywhere but here.

I searched, and can not, due to other obligation awaiting me, reread and provide here all the links, Only the starting ones:

https://grsecurity.net/news.php

And the text to find on that page is this one that I am now copying, very confident that it could only vanish not through the will of Spender and Pax Team, but probably only physical attack on them or their premises, which I pray to God it don't happen, and they get good people for friends even in high places. These people I really like, and only for their work, I miss, I really miss to, say see them on Russia Today, or if Iranians make their own satellite, on Press TV which is, for no reason whatsoever, for mere imperialist bullying, taken off satellite the 1st of July 2013., I watched them to bitter and, saw a lot of best among Americans there, from Oliver Stone to the late Michael Hastings (probably killed by FBI), to Randy Short and many others... And on Russia Today, I saw, finally, Richard Stallman, who I continue to support, as well as I saw Linus Torvalds, who I don't support anymore, and one of the reason I very much despise him now, is not allowing Grsecurity/Pax into the kernel. You, Linus are responsible, either for being a chicken with the U.S. NSA, or for being a bully and a profiteer, which of these is the case I neither know, nor have the time to investigate, but call on readers of these lines to give us, say here, or at appropriate place, but letting us know here, the truth about it....
Currently while I was writing this, there was Tony Teflon Blair the warmonger, the war criminal, who boodied his hands with hundred of thousands of Iraqis, along with George Bush, on the BBC World, and believe me, on the World News on Press TV, you had a lot of true news, and those criminals didn't get to cuddly talk of peace. Tony Blair the Middle East Envoy... Talking peace for Egypt! C'mmon! ... BBC World, CNN, Fox, Sky, those are at best incomplete, at best silent on the truth, and often lies, lies, lies! Too few exceptions on any of those!

Anyway, the text to find on that (https://grsecurity.net/news.php) page:

grsecurity in the news: Microsoft/Skype run grsecurity on 10,000 supernodes (May 1 2012)

Discovered by Kostya Kortchinsky and published on his blog with further reporting by ars technica, Microsoft has been found to be running a large number of Skype supernodes on Linux servers hardened with grsecurity. Though Microsoft is not a sponsor of grsecurity, this news serves as demonstration of a large-scale grsecurity deployment.


and the links underneath are:
http://expertmiami.blogspot.com/2012/05/skype-does-away-with-random-supernodes.html
http://arstechnica.com/business/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/

So, you have the right to like IE, but God, how toxic for the world Microsoft and that lier Bill Gates and probably most if not all the associates, are!
M$ IE to trash is my wish! Only take it out when I need to check if a particular webpage once I write it on http://www.CroatiaFidelis.hr (nevet, never time to update it, that's my NGO's page...) is supported on M$ and other browsers...

OTOH, I remember, and most true experts remember, that it was M$ who forced standards and broke standards and not respected standards, but I'm not into it, and I only was just a little.
Pls. don't get me wrong. It's people like M$, like Apple, like Google who buy our governments for their own sacred profits (nothing much good can really survive in those hearts where only money grows), to the detriment of all of us.
You drink lies, esp. in the U.S. E.g., Iranians are not developing nukes. They are not! They only refuse to dance as the World's Bully says. Credit to them for that! (I'm not saying they're perfect otherwise.)
Thank you!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: https support in forum

Postby Construx » Mon Jul 08, 2013 2:31 pm

> "First, sorry for my jumping to conclusion, wrongly, that you were a newbie in Linux. What cannot be sufficient indication, but made me jump that way, was that it was your first kernel compile, as you stated yourself that it was... My apologies!"

I was not under the impression that you had offended me, and I am not inclined to feel that you would owe me an apology regardless. Even so, your sentiment sounds geniune enough that I want to say thank you for the gracious and sincere expression of courtesy. I do not have a deaf ear to such things, although my attitude sometimes obscures this fact. As for your assesment of my prowess, I can only say that I have no doubt that there are plenty of others here whose skills in Linux far exceed mine. So, the chances are very good that yours does as well. I don't recall implying otherwise. One of my many reasons for coming here is to improve my skills because this place would seem to me to be one where there is a no shortage of expertise and best practices, not to mention the fact that this place is concerned with a topic of considerable interest to me.

You are obviously an intelligent person from what I can tell, and you seem to have a lot on your mind in regard to "political correctness" and such, more so than I do. Yet, we are no so different, I suspect. I share "some" of your feelings and a few of your thoughts about a number of the points you raised. At the same time, you appear to have much more awareness about historical activities and opinions than I have, much more. Thanks for sharing them, sincerely. These are interesting topics, for sure, and I would like to know more about some of it. However, if I seem reticent to engage you along these lines, do not yourself be offended. My reluctance to do so is based on two important factors. First, I have little time to indulge the subject matter at this point in time due to other constraints to which I must attend. Secondly, not knowing anything about the opinions or preferences of those who moderate this forum, I am not inclined to "overstep" my boundaries of netiquette with this type of dialogue in this place because, interesting though it may be, in my personal opinion it does seem a bit off-topic. As a newbie around here, I hardly feel justified in taking such discretion.

The links you provided should prove to shed more light on some of these topics, and I shall peruse them more as time permits me. I hope to have an opportunity to talk more with you, quite honestly I do, and I hope the opportunities arise. I will watch for them, but right now I need to engage this project. It is not an easy subject matter, especially for one like me, who only recently learned how to compile a kernel! Thanks, again. Take care.
Construx
 
Posts: 25
Joined: Tue Jul 02, 2013 7:27 pm

Re: https support in forum

Postby timbgo » Mon Jul 08, 2013 5:57 pm

Much appreciation on my side for your kindness!
Neither do I have any spare time left.
And neither could I afford to overstep outside of the scope this forum is intended for.
Very much like your shakespearean manner of speech, in which kind I am not able reply, being of very insufficient understanding thereof.
I'll take only the liberty to give you and anybody interested in future contacts my full address, phones and, mails, simply because I am afraid of those who know anyway, and not of those who learn only if you reveal, just like anyone can clearly see, now that Edward Snowden has revealed the full extent of almost no privacy allowed for anybody by most of world's regimes of this Big Brotherly time:
I am afraid I would be somewhat of a burden, if I continued will my scathing language against the powers of this day, to this forum, so I sincerely wish this be the last in this forum for really some time. It's a little hard on me as well.
Construx, take my contact details in your address book, or your notes, if you wish.
Miroslav Rovis
Vankina 4
10020 Zagreb
+385 (0)1 660 2633
+385 (0)91 266 0202
m.rovis@inet.hr
m51r@yahoo.com
miro.rovis@gmail.com
However, I might be the one further than you from proficiency in some areas of computing, since e.g. I really have no defence for my mail, yet, and after having been attacked, probably by local UDBA how we call it (the tiny NSA of Croatia, for really short and simplified), through my provider Iskon, through local Google in Croatia, and also others, which I could prove, but with very hard and long lasting effort that I probably don't even have time for, since I wireshark all the time that I go online, and use other means as well, and a list of my files, let me post it here too (I've turned into a beggar right now, because under pressure by the regime in power in my country, my mails don't go nowhere, and even people oftentimes cannot reach me by phone because UDBA don't let them through... So this SHA256 can prove I got those files at least since this day that I on this international forum published it:
82e8a66f46c225434e3b6581f7652634decc761a90e57e252bf1e5a9c6de18a1
(again, that identifies a list of files, some 1/2 GB, forever. Those files can not be of any later date!)..
It's probably very hard to contact me. So be really patient. Nothing is anymore certain in my life, because my own country Croatia has gone to traitors and I am loud about it, and they hate me.
Give me your contact in mail, better than here, pls, because it is enough that I overstep a little what this forum is for...
However, this is my very last for a while.
And I am in some, even though not probably great danger, yet, from my regime locally.
Please, moderators, this is the last from me for at least one week, and later on I don't want to be as talkative as so far anymore. It's hard on me too...
Please! And thank you in advance!
Technically, I can tell you, and others who might be reading this, a little more on hardening your Debian Linux.
Do you have anything that comprises SELinux in your /boot/config-3.2.4XXX ?
Because if you do, I don't think you need it, and it might be cause of concern for your privacy.
Namely, this is the default:
Code: Select all
root@myhost:# cat /boot/config-3.2.0-4-amd64 | grep -i seli
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
root@myhost:#

That's default in Debian nowadays. And that is the ruin, in my strong suspicion!
To get a clean kernel for Debian those must not be there!
Such as in my kernel, the one that I use:
Code: Select all
root@myhost:# cat /boot/config-3.9.8-grsec-130706 | grep -i seli
root@myhost:#


There is:
http://forums.debian.net/viewtopic.php?f=5&t=103302
esp. find there:
entitled: "grsecurity install made difficult and misleading, why?"
and the link therof: http://forums.debian.net/viewtopic.php?f=5&t=103302#p493867
Also here:
entitled: "Grsecurity patched vanilla kernel (the missing part)"
and the link therof: http://forums.debian.net/viewtopic.php?f=16&t=103425

And this I really wish this wraps it up from me for at least one week from now, or even qute somewhat longer.
I needed to give my contacts in here, just in case, because I don't feel completely safe. Mine power-drunk effemeral clones, or zombies kind of people have also gone a little beserk, just like in the U.S. and other freedom dispensing countries of the day!
Again, if you accept my friendship, pls. send me email, but not to my addresses yet. I can't deal with them, yet. Local Google/regime/other people kill my computers to some unknown extent, and my nerves to rather considerable extent, through mail, and I'll need lots of time to learn defences!
Send me email here.
Anyone else reading this, pls. do likewise. I am really tired, and restricted in understanding of computing.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to grsecurity support

cron