ANNOUNCING: DEF CON Security Improvements

I've been working on security improvements to all the DEF CON servers since we did the big network move, focusing on DNS and web server related options. In this part one post I want to let everyone know what I've been up to, what we still plan to do, and hopefully inspire everyone to make improvements to their servers and services as well!

- These servers now support HPKP [1]
- These servers now support DNSSEC and DANE TLSA records [2]
- We now support all the 10 http headers checked for at as well as some they don't. Run the tool on your own site and improve!

- Our mail server now supports DNSSEC and DANE TLSA records [3], in a slightly different format than the TLSA records for the servers above, they have to be SHA256 [4]
- Mail now supports more (and less!) algorithms [5], but unfortunately, still has to support SSLv3. There are still too many old MTAs that have not updated. Yes, the big web mail providers have, but there are still plenty of small servers out there that are dated. We'll keep checking logs and at the start of next year we'll stop support for SSLv3.

For the web, media, and forum servers it was adding the HPKP http header, and for DNS it was a TLS record. For the mail server we added DANE

- All domains now support DNSSEC
- All domains support CAA resource record [6], super simple to implement, and is intended to signal to all CAs to not issue and TLS certificates for your domain unless they are listed under your CAA record. Many, but not all, CAs support this -but hey, why not?

- We support HTTPS on the tracker


Round Two of the security upgrades will include mostly big bumps to crypto related certificates and setting: Enabling OSCP Stapling, stronger sorting of HTTPS algorithms, newly regenerated 4096 bit certificates chained to a 4096 bit root CA, rotated and stronger (4096bit) DNSSEC certificates, OPENPGPKEY, and SMIMEA records.

DEF CON uses DIGICERT for certificates, and they support RSA, DSS, as well as ECDSA certificates. We'll be evaluating if we should support another certificate type besides the current RSA.

Feel free to comment on this post!

The Dark Tangent


[1] HPKP is the Host Key Pinning Extension that tells compatible browsers what ssl certificate to pin to the site you are visiting and for how long. This helps prevent and MITM attacks with forged TLS certificates. This is lightweight and just works if your browser supports it. (FireFox, Chrome). This is an easy to do security upgrade if you host someplace and don't control your DNS. To create the HPKP record I ran this command:

openssl x509 -in -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

That gets us a SAH256 hash base64 encoded. I tried SHA384 and SHA512, but it looks like the HPKP spec is only for SHA256.

[2] DANE / TLS relies on DNSSEC and if you are using a plug in like the TLS Validator plugin for Internet Explorer, Firefox and Chrome it will give you visual feedback on if the sites you are browsing to support DNSSEC as well as if the page you connecting to with TLS is protected by DANE. DANE pretty much assures that the site and certificate you were expecting to get is actually the certificate you received and is a more complete solution than HPKP, but a more complicated one for people to adopt.

[3] or check your favorite mail server here.

To generate and test the TLSA record there are some great sites out there:

[5] CipherList=TLSv1.2:TLSv1.1:TLSv1:SSLv3:!SSLv2:!aNU LL:!eNULL:!ADH:!LOW:!MEDIUM:!ECDH:!3DES:!RC4:!MD5: !DES:@STRENGTH

[6] CAA records are well describe in the Thawte pdf: