10:27 < Gabeee> EastByte: if I remember correctly, on startssl you can either let them make the keys and certificates, or do it yourself and send the CSR file
10:27 < Gabeee> It is really, really bad to let them know the private key, plus it is sent through https.. really, I would feel safer using :80 rather than a https which is unsecure :P
10:28 <@EastByte> yep
10:28 < Gabeee> But heh.. it's for windows xp, we can't really expect much, and it's all broken anyways
10:28 <@EastByte> the last time I used startssl I could also use my own key
10:28 < Gabeee> Yes I remember that
10:28 < Gabeee> You can't do it anymore?
10:29 <@EastByte> heinrich5991 is struggling with startssl, not me :p
10:30 < Gabeee> If I'm not wrong, firefox handles its own authorities
10:30 < Gabeee> dunno about chrome
10:30 <@EastByte> chrome atleast doesn't do that (on xp)
10:30 <@EastByte> that's why we cannot use letsencrypt
10:31 < Gabeee> Sadness enabled
12:14 <@deen> well, also IE
12:15 <@deen> I guess at some point letsencrypt will get support for WinXP SP3
12:15 <@deen> from what I understand they just need to be signed by an accepted authority for that
12:15 <@EastByte> deen: we just switched to startssl :p (look at the cert)
12:16 <@EastByte> but now we noticed SNI is still needed (no xp support)
12:16 <@deen> huh?^^
12:16 <@deen> that's unfortunate
12:17 <@EastByte> well maybe we did something wrong
12:21 < Soreu> >.>
12:21 <@EastByte> did something break>
12:21 <@EastByte> ?
12:22 < Soreu> Nope, but neither is fixed :P (damn XP)
12:25 <@EastByte> laxa: do you have the same problem with windows xp?
12:27 <@EastByte> I will do a check on ddracepro.net
12:28 <@EastByte> hm: IE 6 / XP   No FS 1  No SNI 2Protocol or cipher suite mismatch
12:48 < laxadedi> I don't understand your problem
12:48 < laxadedi> I configured my apache server to only accept high securities ciphers
12:48 < laxadedi> so I guess it doesn't support windows Xp with IE 5 or smt
12:49 < Gabeee> Oh, yes laxadedi this is the issue
12:49 < laxadedi> https://www.ssllabs.com/ssltest/viewMyClient.html
12:49 < Gabeee> Perhaps XP doesn't support the recent ciphers
12:49 < laxadedi> use this with your browser in windows Xp
12:49 < laxadedi> you'll see what cipher suite you can configure on your server
12:49 < Gabeee> (and this is why banks always have weak ciphers support in order to support most of the machines)
12:49 < laxadedi> Indeed
12:50 < laxadedi> But at what cost would you support win Xp ?
12:50 < laxadedi> I am not understanding the will to do some effort to support a deprecated OS to be honest
12:50 < laxadedi> That's encouraging non-security in some way to me
12:51 < laxadedi> Problems with old IE is not only cipher suites, but protocol availability
12:51 <@heinrich5991> wikipedia also supports winxp
12:52 <@heinrich5991> https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org&s=208.80.153.224&hideResults=on
12:52 < laxadedi> wikipedia does'nt have a forum with authentication
12:52 <@heinrich5991> huh?
12:52 <@heinrich5991> it does
12:52 < laxadedi> well, 0.1% of all people browsing wikipedia have an account or something I guess
12:53 < laxadedi> It's not because wiki does it that you should
12:53 < laxadedi> especially since they probably have that system for years
12:53 < laxadedi> we are in 2016 and you are trying to do it
12:53 < laxadedi> https://en.wikipedia.org/wiki/Transport_Layer_Security
12:53 < laxadedi> all informations regarding browser support and ssl are there
12:54 < laxadedi> Anyway that's just my own opinion, I would'nt loose time to support a deprecated OS.
12:55 <@heinrich5991> the problem is that quite a fraction of users use winxp
12:55 < laxadedi> Last 0day that hit all windows was never fixed on windows Xp, just saying.
12:55 < laxadedi> The problem is the users, not ddnet
12:55 <@heinrich5991> yes
12:55 < laxadedi> you are putting yourself in a nightmare by doing that
12:56 < laxadedi> Tell them to upgrade to something else
12:56 < laxadedi> running windows Xp nowadays on internet is being crazy
12:56 < laxadedi> They are all probably rooted
12:56 <@heinrich5991> I believe everyone who could upgrade winxp already did so :)
12:57 < laxadedi> You can still get chrome on winXp right ?
12:57 <@heinrich5991> or firefox
12:57 < laxadedi> well then
12:57 <@heinrich5991> and with firefox it already works
12:57 <@heinrich5991> but with chrome it does not
12:57 < laxadedi> oO ?
12:57 < laxadedi> that's interesting
12:57 <@heinrich5991> because firefox ships their own crypto and trusted cas
12:57 <@heinrich5991> and chrome uses windows stuff
12:57 < laxadedi> are you sure this is not a root certificate problem ?
12:58 <@heinrich5991> it is
12:58 <@heinrich5991> that's why we're trying to move to startssl
12:58 < laxadedi> then just ask the user to install it ?
12:58 <@heinrich5991> but now we also need to disable the need for SNI
12:58 <@heinrich5991> how? ^^
12:58 <@heinrich5991> the site doesn't load without https
12:58 <@heinrich5991> and google results point to https
12:58 < laxadedi> Afaik that is the problem of SNI heinrich5991 
12:59 < laxadedi> *ssl with certificates
12:59 <@heinrich5991> I have no idea where your problem lies
12:59 <@heinrich5991> we have a set up in mind that will work :)
12:59 < laxadedi> I mean
12:59 < laxadedi> Ok
12:59 <@heinrich5991> (and is secure)
12:59 < laxadedi> You have switched to openssl right ?
12:59 <@heinrich5991> startssl
12:59 <@heinrich5991> yes
12:59 < laxadedi> Yes sorry
13:00 < laxadedi> what is the display when trying to connect with crhome/IE on win xp ?
13:00 < laxadedi> Certificate can't be trusted ?
13:01 <@heinrich5991> I guess
13:01 < laxadedi> On fully patched windows Xp with latest available IE for the OS ?
13:02 <@heinrich5991> I don't have a winxp at hand. but qualys ssl labs says that the server requires SNI and that winxp sp3 with ie8 doesn't supprot it
13:03 <@heinrich5991> ah
13:04 < laxadedi> For, SNI and certificate can't be trusted are 2 different things
13:04 < laxadedi> I could be wrong
13:05  * EastByte installing chrome in a xp vm
13:05 <@heinrich5991> yes, they're two different things
13:06 <@heinrich5991> but due to missing SNI, nginx will send out the wrong certificate, I guess
13:06 < laxadedi> That is probably the issue I agree
13:06 < laxadedi> https://gist.github.com/StefanWallin/5690c76aee1f783c3d57
13:07 < laxadedi> If you haven't looked
13:07 < laxadedi> What was the previous certificate used on ddnet ?
13:07 <@heinrich5991> let's encrypt
13:08 <@heinrich5991> and before that no https at all
13:08 <@heinrich5991> (not even on the forum)
13:08 < laxadedi> I remember deen using a self-signed certificate some times ago
13:10 <@EastByte> yes, that was usable
13:10 <@EastByte> (with firefox atleast)
13:11 <@EastByte> and I accidentaly always distributed the https links
13:12 <@EastByte> https://eastbit.net/priv/09_Feb-16-14_11.png
13:12 <@EastByte> hm seems to work for me
13:12 <@EastByte> maybe chrome made an update?
13:14 <@EastByte> looks like the SNI problem doesn't exist with chrome
13:14 <@EastByte> the CA is trusted
13:14 < laxadedi> sni isn't supported by Xp
13:47 < Soreu> btw, next chrome updats won't support XP anymore (just informing in case you don't know)
13:52 <@EastByte> one should spread a virus that disables internet connectivity on xp machines
13:52 <@EastByte> perfect antivirus
13:52 < laxadedi> lol
13:53 <@EastByte> I mean, malware distributing security software is getting pretty common :p
13:53 < laxadedi> Hu ?
13:54 <@EastByte> yea, heard about that twice the last days
13:54 <@EastByte> someone exploited a botnet and force installed avira antivirus on all the machines
13:55 < laxadedi> I'd like the sources of that, seems interesting but still illegal
13:55 <@EastByte> http://thehackernews.com/2016/02/botnet-antivirus.html
13:56 <@EastByte> there also was something like that relating vulnerable routers
13:57 < laxadedi> Interesting story ^^
13:58 < laxadedi> Some hackers made honeypot to studies some botnets also
13:59 <@EastByte> some hackers hacked honeypots and got into the host system :p
13:59 < Gabeee> EastByte: When I was an intern at a company that repairs computers, I was laughing but I understood and learnt quite a lot actually
13:59 < Gabeee> There was a guy with a laptop and a dead battery running a shitty old windows 2000
13:59 < Gabeee> And he said "The viruses don't work on this crap"
14:01 <@EastByte> Gabeee: I guess these old windows versions are getting less of a target
14:01 < laxadedi> That's actually completely false
14:02 < laxadedi> last major CVE on windows was explitable on all versions of windows, but Xp was already out of warranty
14:02 <@EastByte> yes, they are easy to exploit
14:03 <@EastByte> but I guess such old systems aren't really profitable anymore
14:03 < laxadedi> why that ?
14:11 <@EastByte> because it's getting old? such systems always were exploitable without much effort
14:17 < Gabeee> EastByte: xp is still worty in china, a lot
14:26 <@heinrich5991> laxadedi: can you link the CVE?
15:01 < laxadedi> http://googleprojectzero.blogspot.fr/2015/07/one-font-vulnerability-to-rule-them-all.html
15:01 < laxadedi> I think this is it
15:01 < laxadedi> font based exploit that leads to RCE from simply browsing the web
15:02 < laxadedi> http://www.cvedetails.com/cve/2015-2426
15:02 < laxadedi> this one
15:02 < laxadedi> they say nothing about Win Xp cause it was already out of warranty
15:03 < laxadedi> There is even a metasploit module, just to say xD
17:52 <@deen> hi EryX 
17:52 < EryX> hi
17:53 <@deen> ddnet website and forum should be forced to https for everyone now
18:10 < F1rSt> hi all
18:10 < EryX> Hi
18:10 < F1rSt> deen: do you have skype or something ? can u talk with microphone ?
18:10 < F1rSt> EryX: hi <3 :D
18:11 < EryX> We know eachother?
18:11 < F1rSt> EryX: no i just get along very soon
18:12 < EryX> I know that he got skype, but i don't think that he'll talk via microphone
18:14 <@deen> F1rSt: i prefer irc
18:16 <@deen> F1rSt: Full story: I had to make a new skype account after adding everyone who asked me for skype and getting random messages all the time :P
18:16 < fstd> voice chat sucks anyway, too transient
18:17 <@heinrich5991> transience isn't necessarily a bad thing :)
18:17 < EryX> Daredevil or Narcos
18:17 < fstd> well for chit chat it's okay, yeah
18:25 <@deen> EryX: might be the wrong channel for movie recommendations^^
18:30 <@heinrich5991> EryX: daredevil
18:30 <@heinrich5991> heard of that before :D
18:45 < EryX> okkk heinrich  ty
18:46 < Gabeee> you shouldn't use skype, guys
18:46 < Gabeee> Everyone can have your ip based on your skype id
18:47 < Gabeee> (and this is bad when someone who knows someone who has your id get your ID to launch an attack :P)
18:57 <@EastByte> Gabeee: try to lookup my skype id: annoyingeast
18:59 < Gabeee> EastByte: 37.187.1.*
19:00 <@EastByte> yep, and now do a host lookup on that ip
19:00 < Gabeee> I'm sure it's a proxy or so
19:00 < Gabeee> but always, crappy website you can look it up:
19:00 < Gabeee> http://mostwantedhf.info/
19:00 <@EastByte> it's the same server my irc client runs on
19:01 < Gabeee> same for me :P
19:02 < EryX> why i cant find my own ip on mostwantedhf   desert-b0b
19:02 < EryX> "IP not found"
19:02 < Gabeee> you're using the web skype version?
19:03 < EryX> no
21:57 < Switcher_> will there be a menu to change the weapon-skin in the ddnet client? 
22:09 <@heinrich5991> I don't think there's an issue for that yet