Agenda

• status updates
• GPG api authentication token in MIG
  • http://4u.1nw.eu/api.rst.html#authentication-with-x-migauthorization

GPG API Authentication

• Use HTTPS only, to avoid replay attacks (nonces are not cached)
• Suggested test cases to implement to protect against common attacks
  • Timestamp in Header is not same as in Signature
  • Nonce too short (consider alphanumeric charset or so?)
  • Ensure that server time is correct regularly ?!
  • I had another really great idea but I forgot.

Status Updates

• freddyb
  • SRi things. rewriting the spec
    • in essence: just scripts and styles.
• ulfr
  • MIG
    • back on mig code! lots of investigator management code, fairly boring but nice to have
    • now designing an api authentication method
  • TLS
    • hkpk experiments in webops
    • tls observatory stuff
• jeff
  • lua sucks
  • beta testing Elastic Search "shield" security offering
  • other folks want to use mozdef but it needs SAML auth
  • blocked china in a demo..fun!
• mgoodwin
  • No update
  • security.cert_pinning.enforcement_level
    • 0 means: no enforcement at all
    • 1 means: hard fail for non-local roots (and other errors)
    • 2 means: hard-fail, inc. local roots
  • security.cert_pinning.process_headers_from_non_builtin_roots
    • true = allow HPKP pins from local roots
    • false = don't allow HPKP pins from local roots (default)
  • https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/
• psiinon
  • ZAP frozen for 2.4.0