Domain: calomel.org
Stories and comments across the archive that link to calomel.org.
Comments · 8
-
Re:what a dribbling paid Intel shill
All the advanced features which (especially) VMWare and other big name vendors use them and they either don't support AMD or the features don't work cross-platform so you can't do a live migration or you have to reconfigure your VMs to use different CPU architectures.
This may change with Ryzen but as you said, it's the first generation, I'm not going to entrust my datacenter on something that had trouble handling a Linux kernel compile. Encryption is about half the speed on AMD vs Intel. Check the benchmarks: https://calomel.org/aesni_ssl_...
-
Re:Just one problem
It doesn't matter that SSL is computationally expensive, because you don't use it to encrypt the entire session. Instead, you use it to exchange symmetric encryption keys in a secure manner and *those* keys (and algorithms) are what is used to encrypt the session. Even an old Xeon 5160 could encrypt 100-150 MB/s with AES-128 which is enough to keep up with a 1Gbps NIC.
Modern CPUs are even faster. Those are per-core numbers, so multiple by 4/8/12/16 (however many cores you have).
-
OpenBSD + pf = Delight
I'm a big fan of using OpenBSD for my home routers. The documentation is superb, and is more than enough to get started. You might also enjoy caolomel.org, and kernel-panic.it. Each site provides a number of straight forward approaches to setting up a few different types of networking appliances with OpenBSD, and other Unix style systems.
If you're comfortable with GNU/Linux you might actually find OpenBSD easier, as it's a simple, well documented UNIX.
* The default install is a handful of simple text questions, and takes around twenty minutes to complete, less if you have fast media.
* The default install is pleasantly minimal if you're into setting up appliances
* Out of the box you will get the Unix versions of software, example vi, not vim
* There are ports, but unless you're stetting up an http proxy or something, you might not need themPF - packet filter
Once you get the hang of writing pf rules they're a delight:
* make sure you understand the direction packets move in/out of your interfaces
* make sure you understand how the pf language expands/infers your instructions, pf is expressive, and that's good, but also means be careful.
* QoS is fun, and can be insanely elaborate -
"[U]se [RC4] as a last resort."
Unfortunately — in Firefox, at least — ciphers can only be toggled, not given a priority. Control over cipher selection (and other HTTPS parameters, such as key length, key exchange, hash (MD5/SHA)., etc.) lies with the server operator. In my own testing, the arbitrated HTTPS parameters are most frequently prioritized in some order without regard to strength, or prioritized from weakest-to-strongest (or perhaps least-to-most expensive to execute).
In order to retain manageable security, I have only TLS 1.0-1.2 enabled, MD5 disabled, all RC4-employing combos disabled, with the last being switchable via a check box provided by "CipherFox." (Additional features of use to "CipherFox" users are provided by "Calomel SSL Validation."; I recommend both.)
-
PFS Determination+
I recommend Calomel SSL Validation to anyone who's interested in the security of their SSL/TLS connections. It adds a toolbar button, the color of which is determined by a weighted, composite score based on various connections security parameters: Bit-lengths, algos (e.g., AES > RC4), PFS, handshake/protocol, domain matching, etc. Clicking the button displays the complete break-down, including a percentage-score for overall connection security.
There's also a Tools menu dialog that allows one to toggle >=128 bit, >=256 bit, PFS, and/or FIPS connections exclusively, among other security and interface tweaks.
Along the same lines, I also recommend CipherFox, which has a configurable status-bar display of symmetric/asymmetric algos and their bit-lengths, and the hash function used in a secure connection. CipherFox also allows RC4 to be toggled, which is handy in conjunction Calomel.
The above are all freeware that appear to be written and published by individuals lacking a nefarious corporate agenda.
-
Re:I can't remember
Even then there are some that just don't have a way to re-enable. Like autocompleting URL bars that autocomplete entire URLs, and not just domains or partial URLs. Even more annoyingly, Firefox refuses to autocomplete ports - so if you visit http://localhost8080/ Firefox oh-so-helpfully autocompletes just "http://localhost".
But I go to direct deep URLs on a lot of things.
FF plugin "Calomel SSL Validation" has a checkbox on its Optimizations tab* to toggle the behavior you described. The prefs dialog must be accessed via the Tools menu; the toolbar button's sole functions are: 1) Changing color to indicate a weighted, aggregate measure of the security quality of an encrypted connection, and 2) when clicked, displaying score-points and the details from which they were derived (cert match,cyphers, key lengths, hash algo).
TLS 1.1 & 1.2 were added a couple versions back, but remain off by default. This plugin adds control of some of this functionality. See WP's TLS article and it's cited notes/bug reports regarding FF's implementation details/issues: https://en.wikipedia.org/wiki/Transport_Layer_Security
* This plugin's secondary functions are numerous and disparate. I'm tired, so see first link if you want to know anything else about it.
-
Re:Possible attack vector
I've got my laptop set up so that anything important (EG: Email, file transfer) is set up with strong encryption. Websites, not so much, though I do have a squid proxy server so if it matters, it's a single command and three clicks to secure my web browsing.
-
Re:SSH
Yup.
-Setup a ssh server outside of china, always on. for windows use some port like copsshd.
-Set ip up at an alternate port (not 22, use 443), it will obfuscate it a little bit.In china run ssh client, putty can do this, tunnelier has some more options
https://calomel.org/firefox_ssh_proxy.html
Then use proxy options of firefox to send traffic over this proxy. Be careful no to leak too much dns info.