SN 792: NAT Firewall Bypass

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

With regard to the root certificate that Let’s Encrypt used for cross-signing:

That also means all sites that bought certificates from that authority will also stop working (and other root certificates will also start to slowly become invalid on those old devices).

A second point, many apps use encrypted transport (hopefully all of them), which means that all of those apps will also stop working, if the servers are using Let’s Encrypt to provide their certificates (most use https to transfer their data back and forth).

1 Like

Usually a CA has multiple root certs valid at the same time. They should NEVER issue a cert for a site without an expiry that is less than the expiry of the signing CA cert. I believe CA cross-signing may be an odd duck exception… not that aware of the rules in that regard.

Yes, but those devices haven’t received any root cert updates since 2016. That is the point any set to die, like the one mentioned, will stop working and, although the CA might have issued new certs between 2016 and 2020, they won’t have found their way onto those devices.

This is a general problem for these devices, it doesn’t just affect Let’s Encrypt.

Well all certs have an expiry… all I’m saying is the sub-cert will always expire before the CA cert that signed it.

Yes, but that will always be renewed against the new root cert, so will also be invalid on those older devices, even though they are valid.

I just don’t understand your point. Certs expire. They always have. They always will. A device needs to have support for updating any certs is uses and an OS needs to have support for updating CA certs it trusts. The warning about Android is merely because old versions of Android have no way to update their CA cert list. There is nothing new to see here.

Correct. But Steve’s point, or rather his re-iteration of the Let’s Encrypt EOL on Android pre-2016 makes it sound like it is a LE-only problem. I was just pointing out that it affects all CAs on those devices, whose root certs are expiring.

All the vulnerabilities in WordPress show show is how popular WordPress is. I’m sure that Xenforo has the same number of issues should anyone go looking for them. The only truely secure websites would, in my opinion, be Web 1.0 sites. WordPress may even be mire secure because, like I said, due to it’s popularity; people are going out of their way to find these bugs.
Having to wait a year between each Peter F Hamilton book is nothing… I first heard about The Dresden Files series in 2017 and I finished reading them in mid-2018. Then we had to wait until this September before we got another two Dresden Files book.

@Leo I’m in the middle of installing a Ubiquiti home network (UDM, 24-port-poe, cameras, FlexHD APs, etc) in a client’s home, so I perked up when you mentioned mitigating “Slipstream” on you network. I can’t test the Unifi instructions because the UDM-Pro is in a box awaiting on-site install, but I did this on my own Edgerouter. There are two relevant discussions on disabling the ALGs running on Ubiquiti kit…

Seems pretty straightforward for Unifi. Only 10% more difficult on EdgeRouter… Cheers!

Yeah it looks like the only ALG on the UDM is SIP and that’s off by default. Whew!

Yeah, its strange that it’s disabled on Unifi, but enabled on EdgeOS. That means everyone with the cheap-o ER-X device as firewall has SIP (and FTP, TFTP, H.323, and more) enabled by default…

If they’re expecting the same person to buy one who would by a consumer router then that fits with the competition. (Not saying that’s good, but am saying it’s not unexpected.)

The ER-X is rather a loss-leader, and is certainly a hardware dead-end, for Ubiquiti. I was not aware all these ALG services were running by default. It’s a rather crazy choice by Ubiquiti.