We discuss, and struggle to pronounce, the difficulties in deploying HTTP public key pinning & some possible alternatives you should consider. Then we get excited for (n+1)sec, a new protocol for distributed multiparty chat encryption & explore the nuances of setting up home VPN gateway!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

• HD Video
• MP3 Audio
• YouTube
• HD Torrent

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Using VPN for all WAN traffic

• “I have a server with 2 1GB NICs, an un-managed switch, and a single gateway. Ideally, I would like WAN traffic routed through a PIA VPN
  using openVPN, and LAN traffic to be routed locally without a VPN.”

• Unmanaged switch isn’t ideal, but it’s far from bad.

• Assuming the server will act as firewall / gateway

• NIC #1 to router/modem, NIC #2 to switch with a static IP (say 10.1.1.1)

• run a DHCP server on there, handing out 10.1.1.1 as the default gateway, DNS as you see fit

• everything from LAN will go out via NIC #2 of server

• server connects to VPN provider via OpenVPN. There are options on to set the default gateway. This is the gateway which the server will use. All traffic leaving your network will go out to that destination.

• Not having used PIA, but I’ll guess you want your OpenVPN connection to accept their configuration settings (dns, etc) and use that on your server while it is running OpenVPN.

A Protocol For Distributed Multiparty Chat Encryption

• review by nccgroup.

• The protocol has the following security properties for group messaging:

• Confidentiality: the conversation is not readable to an outsider

• Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
• Deniable authentication: Nobody can prove your participation in a chat
• Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
• Room consistency: Group chat participants are confident that they are in the same room
• Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages

I’m giving up on HPKP

• what is HTTP PKP?

• https://securityheaders.io – belongs to author

• Be Afraid Of HTTP Public Key Pinning (HPKP)

• Certificate Authority Authorisation – Later this year all CAs will be required to check a new DNS record called CAA before issuing a certificate – you can set a DNS record that specifies which CA you authorise to issue certs for your domain

• Certificate Transparency – Once CT is a requirement no CA will be able to issue a certificate in secret without the owner of the domain knowing about it because it will be present in publicly visible CT logs. See crt.sh

• OCSP leaks information

• What is OCSP (Online Certificate Status Protocol)?

Feedback

• Database migrations in Episode 332

• Extra skimming prevention tip

• Let’s Encrypt uses ~/.well-known/ directory – referenced in How It Works, but not named and explicity named in the Integration Guide

Round Up:

• Write a hash table in C

• BGP leak causes Internet outages in Japan and beyond

• The Right Way to Manage Secrets with AWS

• How to Incrementally Move an Ecommerce Site to HTTPS

• Google Removes 300 Apps Used to Launch DDoS Attacks From Play Store

• Hardening Framework Components

• 10% of the Internet Is Encrypted with Lava Lamps