It makes sense to use ECDSA for leaf certificates, because the TLS server can then handle more clients compared to a RSA based certificate of the same strength (the private key operation is much cheaper with ECDSA and is needed for every TLS handshake). The client of course, needs a few more cycles to verify the signature, but that is not noticeable most of the time.
IMHO it does not really make sense to use a ECDSA root certificate unless you have a very constrained environment, where every byte counts. The root certificate will never be transferred to the client during a TLS handshake - so the size benefit is minimal (the intermediate certificate will be a bit smaller, because ECDSA signatures are smaller). But the signature validation will take more cycles on the client in every TLS handshake.
Other than that it is a good thing that Let's Encrypt now has an ECDSA root. When researchers might find a problem with RSA in the future, we have an alternative ready to use.
I just got it by chance, there seems to be a XSS vulnerability and some way to post things. Didn't expect so many alert windows to appear and not sure what else it was doing.
The key to get high delivery rates to GMail and Office 365 is to setup DMARC. When you have a proper DMARC configuration (and at least SPF) your delivery problems will suddenly go away.
Hosting your own mail server is not rocket science, but you need to have solid sysadmin skills and a good understanding of email as a whole.
If anyone is interested in doing this: Start simple with only Postfix and Dovecot, don't use a database for username/mailbox configuration as most tutorials suggest (start with text files instead). You can also start with OpenSMTPD and Dovecot if you think that Postfix is too complicated.
And if your setup is finally running, make sure to setup proper monitoring (e.g. make sure your mail server is running and answering SMTP connections). You can use free tools like uptimerobot.com for that and get notified before you loose mail.
> Hosting your own mail server is not rocket science, but you need to have solid sysadmin skills and a good understanding of email as a whole.
Not really. I had neither and got it up and running. Sure I had some issues, but as long as you have some competence, most things can be sorted out / figured out.
OCSP stapling together with OCSP Must Staple is the way to go here. All major browsers support these.
Firefox still does normal OCSP requests, Chromes does not. So if you are a Chrome user, to my understanding, there is now way to know if the server certificate was revoked or not, other than OCSP stapling together with OCSP Must Staple. Additionally, both Chrome and Firefox ship a list of revoked certificates, but it may not be updated quickly enough and as far as i can tell it mostly contains roots and intermediates.
This is not true. In Let's Encrypt/ACME for example, you can simply obtain authorizations for all the domains a certificate is valid for and request revocation [1]. The only thing you still need to revoke the certificate, is the certificate itself. The certificate can be obtained from CT logs.
Password managers like LastPass and 1Password have a significant advantage over offline database tools like KeePass: You can easily share individual passwords with your co-workers in a somewhat secure way.
KeePass for instance lacks the ability to do just that. You can either a) share the entire database or b) use multiple databases with different passwords. However, a) is not secure as your co-workers get access to passwords they do not need and b) is very inconvenient.
LastPass (or 1Password, Bitwarden) makes sharing individual passwords within your team very easy, convenient and secure enough. You can create shared folders and define permissions to access those by certain members of your team, and most importantly, deny access to other members. Is there any offline based password manager that allows you to do that (and is usable by the average Joe)?
1Password does not support sharing (or transferring) of single passwords. You can for example not create an account for a user and send him the credentials through 1Password.
How well does KeePass support having multiple open databases? And ideally one would also want something like GPG where every sysadmin has his own password to the same shared file, which I do not think it supports.
In my experience, Keepass works great with 2 databases open.
On my work computer, I have my own personal DB and my Work DB open at all time.
I mainly use the passwords for the web, and the Kee extension in Firefox and Chrome finds the right password without any problem, from both DB.
I have my personal ssh keys stored in my DB as well, and Putty can access them without problem.
I can't speak for shared DB though, as I've never used it in that way.
My spouse and I share our streaming media accounts, for example. We also share passwords for the account on the utility company website, the phone company, and the internet company, some are under my name, some his, but they are really joint bills.
The other case I've run into is at work, when the company has an account with an outside vendor rather than individual users.
- You have a social media account that a group of people should be able to access. (Facebook does this "right," in that pages don't have their own login credentials, and you go through your personal Facebook account to access the page. But I kind of wouldn't want to use my personal Facebook account for work, anyway. Twitter, Instagram, Reddit, etc. treat each account as its own log-in-able entity.)
- You have an AWS account where you want to avoid a single point of failure for the root credentials. Yes, each person should use their own IAM creds for day-to-day use, but if person X is unavailable person Y should be able to get to things. (And for casual projects, "learn about IAM" is a significant burden over "learn how to upload pages to S3" for limited benefit.)
- You have a web hosting account from someone who's not AWS who gives you a single username and password. Or a DNS registrar account (most registrars I've seen don't let you split up access). Or whatever.
- You have a shared email account for replying to things as a team, or even for just archiving emails. Again, some systems do this "right" - if you're using Exchange, you can allow one user to access another user's inbox. But most people aren't on Exchange, they're on something like Gmail.
- You have an account for some service where you shouldn't be sharing passwords according to the service, but doing so is strictly in the service provider's benefit, not yours. Netflix is the canonical example.
I have 2FA on my shared AWS account - my project partner and I both scanned the QR code at the same time. (You should be backing up your QR codes anyway in case you lose/break your primary phone; scanning it simultaneously with a secondary phone is a great approach for this.)
Even if this weren't possible, it would still be better to use 1FA than to arbitrarily pick one person to have root account access and lock the other person out simply because you "should" have 2FA.
In Germany, only Deutsche Telekom (and resellers such as Congstar) supports IPv6 on mobile (for both prepaid and postpaid). And it works great, even when tethering.
Since you're from the UK, I suppose you are a Vodafone customer and therefore roaming in the Vodafone network in Germany (which does not support IPv6 yet).
On some networks/devices you might have to enable IPv6 explicitly, by setting the APN to IPv4/IPv6.
In Singapore, Singtel seems to be the only provider that supports IPv6. Unfortunately only for postpaid plans.
> The mobile phone with the number +49 174 276 6483
On display in a vitrine in the exhibition Global Control and Censorship at ZKM | Center for Art and Media Karlsruhe, October 4, 2015 – May 1, 2016
> It's turned on and connected to the network. No-one (human) will pick up if you decide to make the call.
I'll be going to ZKM next week. From the photo ( http://hop3.de/mobiltelefon_en.html ) it seems like the phone displays the number of missed calls. I'll let you know what it says.
As anotheryou said, the phone is sadly limited to displaying double-digit numbers of missed calls. It did ring every couple of minutes though while we were there. We were playing with the idea of calling the people back (like any phone it shows the caller's number unless the caller chooses to prevent that) but in the end we didn't.
In Germany, you need a permit from the authorities (in this case: Regierungspräsidium Freiburg, cost: 30€) and you have to register a weather ballon launch at the German flight control (Deutsche Flugsicherung, cost: free).
It makes sense to use ECDSA for leaf certificates, because the TLS server can then handle more clients compared to a RSA based certificate of the same strength (the private key operation is much cheaper with ECDSA and is needed for every TLS handshake). The client of course, needs a few more cycles to verify the signature, but that is not noticeable most of the time.
IMHO it does not really make sense to use a ECDSA root certificate unless you have a very constrained environment, where every byte counts. The root certificate will never be transferred to the client during a TLS handshake - so the size benefit is minimal (the intermediate certificate will be a bit smaller, because ECDSA signatures are smaller). But the signature validation will take more cycles on the client in every TLS handshake.
Other than that it is a good thing that Let's Encrypt now has an ECDSA root. When researchers might find a problem with RSA in the future, we have an alternative ready to use.