01:38:30 Does anyone know why Noise protocol was ruled out for p2p traffic? vtnerd mentioned that it was yesterday in #monero-dev 01:38:39 But I wasn't able to find any other information on this 01:39:51 I had a discussion with jberman, where it was difficult for me to list strong arguments in favor of implementing it 01:40:25 basically, we could in theory make it hard to identify as monero traffic, but in practice the default ports are going to give it away 01:40:58 so the value add for noise is that port+dpi is probably difficult (because dpi could identify ssl more easily) 01:41:30 but that was the small benefit, with the downside of maintaining a custom implementation or making yet-another dependency 01:42:02 if you feel strongly about it, most this is in the ssl PR, and we can discuss switching to noise instead 01:42:24 also note that we aggressively “pin” TLS/SSL versions and ciphersuites 01:42:32 I was just wondering about it haha 01:42:37 What do you mean by 'pin'? 01:43:07 we force newish version of SSL, so that downgrade attacks on older SSL versions are not possible 01:43:31 all monero SSL uses this logic, so its standard across all monero related ssl stuff 01:44:03 Does monero wallets enforce HSTS? Like if I enable it on my nodes? 01:46:45 uh it doesn’t use HSTS. afaik this is super specific to browsers mostly 01:48:25 Ok, so not going to lose time to set that up 01:48:50 there is a flag in the wallet —daemon-ssl enabled that requires SSL with a signed cert 01:51:01 Well, my node force tls by default and wallets seam to be fine with that (autodetect) 01:51:22 For rpc 01:51:48 the only issue with autodetect is that it allows MitM - an attacker pretends that SSL is disabled, etc 01:52:24 Yeah, its why I asked about HSTS. 01:54:34 yes, use —daemon-ssl enabled to simulate HSTS mode 01:55:44 I mean if someone mitm me, dose it will notice that the cert changed (even if the cert is valid)? 01:56:16 I use a reverse proxy to enable tls 06:08:22 "https://rekt.news/cutting-corners", "Can't audit everything? Just draw some arbitrary lines and hope attackers respect the boundaries" :D 14:55:47 https://github.com/monero-oxide/monero-oxide/tree/fcmp%2B%2B/audits is my organization and presentation of the FCMP++ audits w.r.t. the modules in the codebase. 14:56:16 (the GBP academia is included with the GBP folder corresponding to the GBP impl) 14:57:45 Some libs from Serai are used as deps, audited some years ago: https://github.com/serai-dex/serai/tree/develop/audits/Cypher%20Stack%20crypto%20March%202023 14:58:33 For the Rust ed25519 library we use, we have the option of formally verified arithmetic for the field implementations. 14:59:12 And then while the Monero node may not be audited, Cuprate serves as a canary. Any large enough institution should run both. 14:59:53 Oh. Serai also has a BBP over a variety of our cryptography libs, Monero has its BBP. 15:01:35 monero-oxide, not yet inclusive to the fcmp++ code, is also something I've currently stated I'll accept reports for under Serai's BBP, pending its own program. 15:02:36 All in all, it puts Monero's posture in a decent place. 15:03:53 I do believe the best solution to security on a node level is independent implementations. 15:05:59 FCMP++ is almost entirely done and moving to redundant reviews (which are only redundant until they aren't). 15:06:25 We've also finally straightened out multisig, hash to curve? 15:13:50 Oh. I saw the posted link and figured I'd comment re: Monero yet missed _who_ posted it. Never mind then.