Seriously, verify your systems after an update. Only continuous monitoring of security features will make sure you don't expose people to insecure systems over time.

This morning I had to notice that my traefik setup decided to downgrade its defaults to SSLv3 due to a bug in the go TLS library.

So yeah, if you run anything server-side that provides TLS and is build with go 1.12.x you might want to verify it.

And also a follow up on my traefik story, where an upgrade of the go version dropped the defaults for TLS connections down to SSLv3, instead of TLS1.0.

The wonderful team around traefik solved the problem and released a new version within 2 days:

That's how things should work!

Show thread


Completely true. Just "setting up your own server" is done in 15 minutes, but "securely operating your own server" is only possible if you continuously monitor your setup, and – also very important – act accordingly in case of any issues. This also includes log file monitoring, DNS monitoring, CT monitoring, and so on.

@infosechandbook @sheogorath this is always what annoys me when people just argue"just run your own server its easy". No, it is not, there is a reason why being a systems administrator is a job.

Sign in to participate in the conversation
Sheogorath's Microblog

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!