1. Forum
  2. fsxNet
  3. FSX CRY

  • RE: Secure binkp

    From NuSkooler@21:1/121 to Al on Mon Nov 25 19:49:34 2019
    On Monday, November 25th Al was heard saying...
    My understanding is that TLS 1.3 is secure and a good way to proceed.

    I don't mean to butt in, but the TLS 1.3 protocol is certainly secure. Ensure you choose secure & modern suite(s). For example: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

    AES has the benefit of using AES-NI instructions on modern CPUs. Without these instructions it can be up 30x slower and much more CPU intensive. If you're running on very old hardware, some of this becomes almost a no-go as it's just too intensive.

    TLS is for PKI, which might make sense for a network op who could perhaps but the Certificate Authority (CA), but I can see that quickly becoming an issue when someone loses their private key/etc.

    A end-to-end encryption system might be better if you're considering from scratch (but of course OpenSSL and such make TLS much easier to implement).




    --
    NuSkooler
    Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
    ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
    --- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Avon@21:1/101 to Al on Tue Nov 26 21:01:28 2019
    On 25 Nov 2019 at 11:55p, Al pondered and said...

    Your not butting in at all, and if you are you are welcome too.. :)

    I second, even third this :)

    --- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From NuSkooler@21:1/121 to Oli on Wed Nov 27 09:25:48 2019
    Oli around Wednesday, November 27th...
    For testing we can use self-signed certs.

    If you don't want to muck around with CA's (I'd highly recommend you *do*; ACME
    / Let's Encrypt works very well -- but you *do* need domains and the like), the "sign up" process simly becomes "Trust this particular cert", which isn't really that bad.

    On Wednesday, November 27th Oli said...
    What is still missing is some authentication of incoming connections if no session password is configured. On the TLS level we could use client certificates, but it would make everything more complicated and less flexible.

    I've used client authentication many times over the years, what are you concerns over compliexity/less flexible here? As for passwords, they are now OK
    to send as they don't go over the wire unless the TLS handshake completes (or maybe I'm misunderstanding what you're saying here)


    --
    NuSkooler
    Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
    ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
    --- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)