[Ach] Summary of today's meeting && new website design
L. Aaron Kaplan
kaplan at cert.at
Tue Dec 10 01:27:10 CET 2013
Hi Applied Crypto Hardening list,
TL;DR version: today we made nice progress. Please git pull and look at the website ;-)
Here is a short summary of out docu sprint today.
Organisational:
* identified a list of reviewers. We plan to have a version of the document ready which can be sent to reviewers by early next week. If you know of any reviewers or if you are willing to review this document, please do get in touch with us!
The document lives by the number and quality of reviews we get.
* timeline: we want to stick with the deadline of 27th of Dec (CCC) where Pepi and Aaron will present the paper.
This will be quite intensive.
Website:
A big thank you to Anna for the logo/CI design and to Pepi for the updated website:
https://bettercrypto.org/
Looks really neat :)
Text:
* identified a missing section on DH params (thx Ian for mentioning it)
* section 10.1 was re-worked. Added graphics on how to read cipher strings
* 10.3.2 was re-worked : complete table of variant B cipher string list
* lots of typosquatting (thx Berg!)
* re-working of 10.5 (thx Adi).
* fixed formatting of listings (thx Adi)
* David is working on the IRC section
* we now have a perl search & replace mechanism for replacing the string @@@CIPHERSTRINGB@@@ in $foo.tex.template with the cipher string B and generating the corresponding $foo.tex file. What does this mean?
Please if you use the cipher string B in a foo.tex file, consider working on the foo.tex.template file.
Example:
% ls -al practical_settings/webserver.tex*
-rw-r--r-- 1 aaron staff 8536 Dec 10 00:07 practical_settings/webserver.tex # <--- generated
-rw-r--r-- 1 aaron staff 8303 Dec 9 23:39 practical_settings/webserver.tex.template # <--- original!
% grep @@@ practical_settings/webserver.tex.template
SSLCipherSuite '@@@CIPHERSTRINGB@@@'
% grep SSLCipherSuite practical_settings/webserver.tex
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
The effect of this is that we can re-generate the document in case we decide to change the cipher string
* VPN section: reworked it a lot, figures are nicer now (thx CM). IPSec tables are nicer
Big open topics that I can think of right now:
* testing of all sections. Fine repeatable testing mechanisms.
* missing: IRC
* missing: SIP
* missing: seclayer-tcp --> A-Trust?
* missing: Racoon , L2TP over IPSec ?
* MS IIS: screenshots, registry settings? --> A-Trust?
* add a note on SHA-1 issues - as recommended by Florian IAIK
* in general, section 10 needs lots of work
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131210/5be1a32a/attachment.sig>
More information about the Ach
mailing list