SHA-1 sunset: valid SHA-2 chains treated as insecure

While dealing with the SHA-1 sunsetting process I encountered a problem with some certificates from StartSSL/StartCom that may lead Chrome to raise warnings or even errors on websites with updated SHA-2-only chains (at least on Microsoft Windows clients).

Chrome yellow-triangle

Read more …

Displaying pmacct country code on a Kibana 4 map

On the Integration of pmacct with ElasticSearch and Kibana post a user (Xentoo) asked how to display geographic information provided by pmacct on a Kibana 4 map using pmacct-to-elasticsearch.

An experimental feature of p2es called transformations can be used to add a Geo Point field on the basis of the country code provided by pmacct.


Read more …

Italian Government mail servers STARTTLS support

After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.

STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.

STARTTLS User to MX mail server

Read more …

DNSSEC: ECDSA-aware resolvers seen by RIPE Atlas

A couple of days ago CloudFlare announced its public alpha release of their DNSSEC implementation. Since they are using the “recent” Elliptic Curve ECDSA P-256 (RFC6605) I wondered how many resolvers can have problems with signatures validation so I wanted to take a peek at the current situation as seen by the RIPE Atlas probes network.

Read more …

DNS_FROM_AHBL_RHSBL 2.699 on Spamassassin

The public DNSBL services offered by AHBL have been shutdown.

Services and programs which used, and need to be updated in order to avoid false positives:

X-Spam-Status: No, score=0.789 tagged_above=-999 required=6
	tests=[BAYES_00=-1.9, DNS_FROM_AHBL_RHSBL=2.699,
	T_RP_MATCHES_RCVD=-0.01] autolearn=no

Spamassassin configuration, for example, needs to be fixed:

# cat /usr/share/spamassassin/ | grep AHBL
header DNS_FROM_AHBL_RHSBL    eval:check_rbl_envfrom('ahbl', '')
describe DNS_FROM_AHBL_RHSBL  Envelope sender listed in
tflags DNS_FROM_AHBL_RHSBL    net

Comment that block or (at least) force a score zero for the rule in your local configuration:

# cat /etc/spamassassin/ | grep AHBL