Jump to content


Computer Nerd Kev

Member Since 12 Jul 2014
Offline Last Active Sep 25 2020 07:38 AM
-----

Posts I've Made

In Topic: Suggestion to Disable TLS 1.0 and TLS 1.1 for all users

29 August 2020 - 06:30 AM

@Piotr_GRD I agree entirely, inidviduals with browsers that support the newer encryption standards can use those without needing to force upgrades on others. In fact my favourite browser is Dillo, and although it can be built to work with TLS 1.2 (maybe even TLS 1.3), SNI is causing me all sorts of trouble. A lot of my browsing (where I don't need to log in) is going via a web proxy that serves over HTTP now, just so that I can use the browser that I like. I'm planning to write a patch to get SNI working in the current stable version myself when I get the chance.

 

Also on my sites I only use HTTP to HTTPS redirects for parts where user information is transfered. For general browsing of publicly viewable webpages HTTPS has only very limited advantages for privacy, and there is no need to force it on people who might not be so paranoid about others potentially finding out (with some fair degree of effort) what page they've viewed within a website.

 

Well rant over. Back on the TLS topic, according to this service (and problems with old browsers that I try to run affirm it) TLS 1.0 and 1.1 are already disabled on Tommy:

https://www.ssllabs....y.heliohost.org

 

A more productive debate might be over whether TLS 1.3 should enabled (that site says it's not on Tommy), for those who do have the latest browsers and want to ensure maximum security when they connect.


In Topic: Problem with Git setup

26 July 2020 - 09:30 AM

The clone URL in the video is for SSH access and Heliohost accounts don't allow this (except on the VPS accounts).
 
There's a banner at the top of the CPanel Git config. page in my account that says:
 

Warning: Your system administrator must enable shell access to allow you to view clone URLs.

 
Git also supposably supports HTTP/S URLs, not that I fully understand how this works for uploading.
 
I tried it once by creating a git repo under ~/public_html/, but although I tried hard, I couldn't get it to work (I can't find my notes on this, so not sure what the exact errors were). The Git documentation is far from clear on how HTTP-hosted repos work (though I don't find it particularly clear about anything for that matter).


In Topic: [Solved] Non-SSL SMTP Port Requires SSL

26 July 2020 - 08:50 AM

Well as it turns out I've now managed to get msmtp to build with SSL/TLS support, and got my old email MUA to use it instead of the built-in MTA (which took a bit more scripting than I expected), so I can do SMTP with encryption on port 465 now.

 

So whether or not you want to change the default so that SMTP works unencrypted, I don't need it now personally. Ideally I would still prefer the option to use unencrypted SMTP in case of future troubles though.

 

Thanks for the explainations and for looking into this.

 

Now to try and set up an MRA/MDA for the IMAP side of things...


In Topic: [Solved] Non-SSL SMTP Port Requires SSL

26 July 2020 - 02:20 AM

It's intentional because AUTH PLAIN is a security issue.

 
Technically it doesn't have to be AUTH PLAIN, it could be AUTH CRAM-MD5 (or similar) for a little more security, but I'm not sure if this is relevent to the rest of your reply because that's nothing to do with STARTTLS or SSL/TLS in general. The AUTH method is just the way of specifying the password, with methods that make it more secure do so over unencrypted connections.
 

 

Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. [?]

Disabling this option will significantly decrease the security of the server by allowing the plaintext transmission of authentication credentials.

I've actually turned this off briefly a few times to confirm this exact problem was the issue with my apps, but since it's a security issue I turned it back on and found more secure solutions once I knew where the problem was.

 

 

Well the security risk is that without SSL/TLS the authentication details can be read by someone snooping on the connection. That won't compromise the server itself (it's the same info as in the logs that I posted), but of course they can use them to get passwords that other people use to send email. That's why I was only looking to do it with one account where security isn't very important and the password isn't used for anything else. Similar to how FTP and HTTP CPanel/Webmail is enabled even though they're unencrypted, presumably for people who aren't concerned about a targeted attack on their account.

There is an argument that someone snooping on all of the internet traffic that goes to Heliohost (eg. a hacked machine or rogue employee at the datacentre or an ISP) could pick out the passwords for all Heliohost email accounts that users connect to without encryption. Then they could use Heliohost for sending spam out via other user's accounts - without an easy way of blocking them (if they connect from a large range of IP addresses).

So from that perspective it could be a risk to the whole server because if it gets Heliohost on spam blacklists, and can't be fixed while there are users connecting unencrypted to their email, it would affect all users on the system.

But Tommy does accept webmail logins over unencrypted HTTP at port 2085, which is just as bad as unencrypted SMTP (maybe worse because I'm not sure if there's anything like CRAM-MD5 for HTTP) for security of authentication details. Also IMAP on port 143 works without SSL/TLS. As the same passwords are used with SMTP for sending email, then that risk is still open via those routes.

Sorry for the lecture, I'm just trying to cover all sides of the topic. Security stuff always gets complicated.
 

I'd be looking for newer software. If the software is old enough to need this option turned off, it's old enough to have god knows how many other security issues. I have a PHP mail client from 2011 installed on my account, and even it supports STARTTLS...

 

Technically the software I'm using does support STARTTLS and SSL/TLS directly on port 465. This still works on other servers. The trouble is that the encryption library used by my software is old and Tommy's software no longer supports any of the encryption methods that it can use. That's presumably because they've all got security issues, so I am resigned to trying to upgrade eventually (complicated by me wanting to use software that isn't maintained - I'm currently looking at installing a separate MDA and MTA (msmtp from the first SSL log) instead of the ones built into my old MUA, but what do you know I'm having trouble getting the SSL support to compile...).

I'm not trying to draw Heliohost into my own world of software frustration, and do plan to get my Email working everywhere over the latest encryption eventually. This was just an attempt at a quick fix for one account where encryption doesn't matter in the first place, and seeing as unencrypted connections are allowed for pretty much everything else (including webmail and IMAP) it seemed unlikely that SMTP was deliberately meant to be SSL-only. If it is deliberate, then I think the logic is a bit inconsistent, but I won't tell you to re-evaluate everything just for the sake of my temporary issue, not unless you want to anyway.


In Topic: [Solved] Account Inactivity Immunity Lost

28 May 2020 - 11:17 PM

Ah right, that's OK. I wasn't sure if I'd remembered it correctly, but the description disappeared after the fundraiser was closed and the page wasn't archived by the Wayback Machine, so I trusted my "optimistic" recollection of it.