Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Unless you fancy running your own internal CA and signing the certs with both foo and foo.whatever.com as subject alternative names and installing that root cert on all your devices

Adbot
ADBOT LOVES YOU

RFC2324
Jun 7, 2012

http 418



Rufus Ping posted:

Your diagnosis is correct but there isn't really a way to make it work because the name in the cert simply doesn't match the one you're requesting if you omit the suffix

internal self signed cert that you import into your browser store, but its certainly not worth it

e;fb

Subjunctive
Sep 12, 2006

sparkle and shine



make http://edge/ redirect to https://edge.mydomain.tld/ if you want to save the typing

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



Also, combine it with split-horizon DNS, just for fun.

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

admiraldennis posted:

https://edge.mydomain.tld/ -- works fine, yay

https://edge/ (search domain: mydomain.tld) -- ERR_CERT_COMMON_NAME_INVALID
Well, use the full name internally, too.

If I want to access my Grafana instance, I go https://influx.home.mydomain.tld/ and presto. Sure, dropping the whole domain shtick makes it quicker to type, but browser autocomplete to the rescue.

(Also try to access that URL all you want, it's an IPv6 ULA.) --edit: Or maybe not. This is the infosec thread after all.

Combat Pretzel fucked around with this message at 13:13 on Feb 16, 2021

Combat Pretzel
Jun 23, 2004

No, seriously... what kurds?!

Bye Lastpass...

https://blog.lastpass.com/2021/02/changes-to-lastpass-free/

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



Nobody could've seen that coming, surely.

RFC2324
Jun 7, 2012

http 418



Its an interesting way to destroy your product, thats for sure

denereal visease
Nov 27, 2002

"Research your own experience. Absorb what is useful, reject what is useless, add what is essentially your own."

What are some good alternatives to LastPass? I think BitWarden was pretty popular last time the question got asked.

DrDork
Dec 29, 2003
commanding officer of the Army of Dorkness

denereal visease posted:

What are some good alternatives to LastPass? I think BitWarden was pretty popular last time the question got asked.

LogMeOnce and Bitwarden are, I think, some of the only remaining free options that work across both PCs and mobile devices.

If you're willing to pay there are a bunch of decent options, of course.

SpaceSDoorGunner
May 4, 2018




denereal visease posted:

What are some good alternatives to LastPass? I think BitWarden was pretty popular last time the question got asked.

Bitwarden hands down from an ease of use standpoint, it seems to be like signal where itís basically turnkey but also to my knowledge as secure as anything like could be, keepass seems to be what all the uber nerds use since you can self host and set up your own fancy 2FA stuff.

Internet Explorer
Jun 1, 2005


1Password is great.

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




1password is by far the best option, of all password managers.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

1Password is really good, I still use Keepass with a synced database.

The Iron Rose
May 12, 2012

Cat Army


+1 to 1password

I got my parents using it, you can too!

DrDork
Dec 29, 2003
commanding officer of the Army of Dorkness

I also like 1Password. Its only real downside is that it's not free. But a family plan is $5/mo for 5 people, so pretty cheap.

admiraldennis
Jul 22, 2003

I am the stone that builder refused
I am the visual
The inspiration
That made lady sing the blues


I've been using 1Password since the stone ages and it still strikes me as the best one. I used to sync the database myself via rsync and then DropBox . Some year I finally gave in and subscribed to their hosted sync service.

I also set up my Dad successfully with it.

admiraldennis
Jul 22, 2003

I am the stone that builder refused
I am the visual
The inspiration
That made lady sing the blues


Rufus Ping posted:

Unless you fancy running your own internal CA and signing the certs with both foo and foo.whatever.com as subject alternative names and installing that root cert on all your devices

This piques my interest but is probably too annoying. I suppose I don't mind doing a little work and installing my own root cert on my most-used devices.

But my guess is that I can't have both my own CA/cert for foo and then also a real trusted CA/cert for foo.mydomain.tld? (Maybe with a fancy dedicated https server, but note that in a bunch of cases here I'm just adding certs to pfsense, plex, freenas, etc, etc?).

Subjunctive posted:

make http://edge/ redirect to https://edge.mydomain.tld/ if you want to save the typing

Yeah, I might do something like this. Though instead of running a bunch of http servers - I'd really just like Chrome itself to be aware of my "default DNS suffix" preference and do the redirecting on its own. Come on, where's the dumb plugin for this?

BlankSystemDaemon posted:

Also, combine it with split-horizon DNS, just for fun.

Hmm...

Combat Pretzel posted:

Well, use the full name internally, too.

Yeah, well, OK, maybe.

BaronVanAwesome
Sep 11, 2001

I will never learn the secrets of "Increased fake female boar sp..."

Never say never, buddy.
Now you know.
Now we all know.


I've been using Lastpass for years after I got a year in a Humble Bundle once upon a time, and probably looking to switch to BitWarden.

Found there seems to be a way to import stuff, although I was ready to just spend a day moving stuff over anyway.

https://bitwarden.com/help/article/import-from-lastpass/

SpaceSDoorGunner
May 4, 2018




I like bitwarden because it was very easy to import all my passwords from NordPass and all my saved browser passwords. I havenít tried 1pass but obviously that seems to be more popular, bitwarden is also free though.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


admiraldennis posted:

But my guess is that I can't have both my own CA/cert for foo and then also a real trusted CA/cert for foo.mydomain.tld? (Maybe with a fancy dedicated https server, but note that in a bunch of cases here I'm just adding certs to pfsense, plex, freenas, etc, etc?).

Yeah most appliances will only let you load a single cert chain so you can't do that unfortunately

Last Chance
Dec 31, 2004



admiraldennis posted:

Yeah, I might do something like this. Though instead of running a bunch of http servers - I'd really just like Chrome itself to be aware of my "default DNS suffix" preference and do the redirecting on its own. Come on, where's the dumb plugin for this?

I may be way out of my depth here, but wouldn't a browser plugin that's designed to be able to forward local traffic to a TLD be a security risk of sorts if used in the wrong hands?

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Last Chance posted:

I may be way out of my depth here, but wouldn't a browser plugin that's designed to be able to forward local traffic to a TLD be a security risk of sorts if used in the wrong hands?

It would I suppose, but the original sin would be someone having the ability to install such software on your computer in the first place, at which point it's game over

azurite
Jul 25, 2010

Strange, isn't it?!




SpaceSDoorGunner posted:

I like bitwarden because it was very easy to import all my passwords from NordPass and all my saved browser passwords. I haven’t tried 1pass but obviously that seems to be more popular, bitwarden is also free though.

Back in 2015 or whatever, I was able to transfer my LastPass logins to 1Password fairly easily.

Boner Wad
Nov 16, 2003


I still use 1Password with a Dropbox synced database. I felt like uploading all of my secrets to a cloud provider would be risky for me to do. Risk wise, compromise or just reliant on a third party to access my own data is not ideal.

Space Gopher
Jul 31, 2006
BLITHERING IDIOT

Boner Wad posted:

I still use 1Password with a Dropbox synced database. I felt like uploading all of my secrets to a cloud provider would be risky for me to do. Risk wise, compromise or just reliant on a third party to access my own data is not ideal.

If you don't like storing your passwords on cloud services I've got some real bad news about Dropbox

Mr. Crow
May 22, 2008

Snap City mayor for life


Boner Wad posted:

I still use 1Password with a Dropbox synced database. I felt like uploading all of my secrets to a cloud provider would be risky for me to do. Risk wise, compromise or just reliant on a third party to access my own data is not ideal.



Also who pays for a password manager lmbo install syncthing and keypass, done. self hosted auto syncing cloud.

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



I like to KeeP rear end.

AgentCow007
May 20, 2004
TITLE TEXT

I had terrible luck with sync programs for my KeePass file with conflicts and overwriting, so I've been running a lightweight VPS to host it with WebDAV. KeePass + WebDAV handles that stuff way more reliably than any sync solution I've tried. DigitalOcean has a guide to set it up that even a Linux newbie could follow, and you can usually find a cheap yearly price on a VPS at lowendbox.com. I think I pay $12/year for mine.

The downside is that almost none of the third-party KeePass clones for Mac or Linux have WebDAV implemented so you'd have to use some crappy virtual drive or sync thing anyways which totally defeats the purpose, but I tend to avoid those platforms anyways.

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




AgentCow007 posted:

I had terrible luck with sync programs for my KeePass file with conflicts and overwriting, so I've been running a lightweight VPS to host it with WebDAV. KeePass + WebDAV handles that stuff way more reliably than any sync solution I've tried. DigitalOcean has a guide to set it up that even a Linux newbie could follow, and you can usually find a cheap yearly price on a VPS at lowendbox.com. I think I pay $12/year for mine.

The downside is that almost none of the third-party KeePass clones for Mac or Linux have WebDAV implemented so you'd have to use some crappy virtual drive or sync thing anyways which totally defeats the purpose, but I tend to avoid those platforms anyways.

Jesus dude why

AgentCow007
May 20, 2004
TITLE TEXT

CLAM DOWN posted:

Jesus dude why

I mean I use it all day every day, so spending 30 mins setting up a server that will run hands-off for years is a pretty good investment. Like I said, I have conflicts or bad overwrites way too frequently with any sync programs, and KeePass' built-in WebDAV support is phenomenal.

AgentCow007 fucked around with this message at 08:48 on Feb 17, 2021

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



There's no real way of doing three-way merges on encrypted flat files, so you can't have multiple databases open at the same time and expect to be able to modify them.
WebDAV sort of makes this possible, but it's mostly a hack.

SpaceSDoorGunner
May 4, 2018




Actually yeah thatís why I didnít go with keepass- Bitwarden had worked flawlessly for me across mobile, mac, and linux. I can always just open my phone in a few seconds if I need to see it if itís a work password and canít install it on that device. Presumably works fine on windows but since Iíve dabbled in this stuff Iím terrified of using windows for anything more important than my steam account.

Iíve been flipping through the Humble Bundles and Hacking the Art of Exploitation was exactly the book/course Iíve been looking so long for- something C based and comprehensive.

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



KeePass works fine with syncthing if you just remember to not leave your password database unlocked when you aren't using it, which, you know, you should do anyway.

SpaceSDoorGunner
May 4, 2018




BlankSystemDaemon posted:

KeePass works fine with syncthing if you just remember to not leave your password database unlocked when you aren't using it, which, you know, you should do anyway.

Keepass was relatively less user friendly in iOS and Mac than either Bitwarden or NordPass for me.

I wanted to switch off of Nordís system earlier so I tried Keepass first but Bitwarden kinda just worked on all my devices with less hassle.

I do use keypass for my osint vm since granular control is obviously more important there.

One downside if youíre in like an office environment where your stuff is left unattended is that bitwarden takes a long time to re-lock by default. Donít know if you can change that setting since it doesnít apply to me but that could be an issue for people who just install it and leave it to work.

SpaceSDoorGunner fucked around with this message at 13:00 on Feb 17, 2021

Truga
May 4, 2014




Lipstick Apathy

keepass has separate save and sync functions. you're supposed to have a copy of the db you open, and then a "sync file" in a separate location, which you then copy around with syncthing. keepass has a trigger system that lets you automate syncing every time you hit save, so it's not a bother either once set up.

i've edited keepass on my laptop, work pc, and phone while at my desk at work simultaneously and then saved and nothing was ever lost. just have to hit save again on the 2 that didn't sync last to get the last changes

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



Truga posted:

keepass has separate save and sync functions. you're supposed to have a copy of the db you open, and then a "sync file" in a separate location, which you then copy around with syncthing. keepass has a trigger system that lets you automate syncing every time you hit save, so it's not a bother either once set up.

i've edited keepass on my laptop, work pc, and phone while at my desk at work simultaneously and then saved and nothing was ever lost. just have to hit save again on the 2 that didn't sync last to get the last changes
Not all versions of KeePass have this; it's not in KeePassXC - which I use because YubiKey/TOTP and keyfile support is loving neat, even if it does pull in a lot of Qt stuff, as well as a cli.

And just as I wrote this, I've discovered KeeShare, so now I need to look at that.

Achmed Jones
Oct 16, 2004





some people just really love janitoring computers i guess

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




Achmed Jones posted:

some people just really love janitoring computers i guess

Seriously

Adbot
ADBOT LOVES YOU

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Achmed Jones posted:

some people just really love janitoring computers i guess

Don't kink shame.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply