Irresponsible Disclosure

IPv6-First LANs with VyOS

Thu, 11 Apr 2024 00:00:00 +0000

VyOS is a free Linux-based distribution that can turn any regular computer or virtual machine into a fully-featured router. By combining existing open source software into a single image, and tying it together with a single configuration file, upgrade mechanism, and an automation API, it makes the job of network engineers and sysadmins easy.

It’s been a few years since I last used it, after determining it was not good enough for me, but the progress they’ve made in this time frame is unbelievable, and it’s practically a different thing by now. I plan to blog about VyOS more soon, and this transformation that happened, but for now I’d like to go over a setup that I did.

Do you really need IPv4 anymore?

Tue, 09 Apr 2024 00:00:00 +0000

Setting up and maintaining access networks today requires double the effort due to the parallel coexistence of IPv6 and IPv4. Dual-stack has network engineers and sysadmins do twice the amount of work, so there must be a good reason for it, right?

The answer is “probably not”! The IPv4 network is not really needed, with the exception of LANs with devices that do not support IPv6 after almost 30 years. And even there, solutions can minimize the impact of that considerably.

Deploying Fiber In The Home

Thu, 29 Feb 2024 00:00:00 +0000

Getting a fiber Internet connection to your home is a big deal! It’s probably the last physical connection you’ll ever need, due to the virtually unlimited bandwidth, stability, performance, and attainable speeds.

Having your ISP drop it off on the building entrance however is not enough. Wiring within a building is often needed, especially if you need to reach apartments, mechanical rooms, and all sorts of places where networking may be required.

Single-domain or Multi-SAN certificates?

Sat, 09 Dec 2023 00:00:00 +0000

For TLS to be able to encrypt connections between two communicating devices, by far the most common authentication method is X.509 Certificates. They have been around for decades and have supported the move to an encrypted web.

The job of certificates is to bind two things together: a cryptographic key and an identity. They serve as a document that tells us that, for example, the public key

04:60:4a:74:2e:ea:2b:bf:16:3f:14:2f:c5:26:df:
fe:65:c7:bd:7f:81:b0:48:a7:dd:82:3b:36:ee:28:
0d:2b:2c:06:18:68:aa:9d:c3:b8:e7:73:cb:21:36:
11:b3:ec:f0:ff:ab:77:51:0a:fa:4e:07:27:16:1f:
23:3f:32:71:2e

is tied to the domain daknob.net. It could have been an IP Address, an e-mail address, or a few other things, but most certificates right now are used with domain names.

The IXP is not your L2 Domain

Mon, 04 Dec 2023 00:00:00 +0000

There are currently over 1,100 Internet Exchange Points around the world according to PeeringDB. These Internet infrastructure locations serve as a meeting point for networks all over the planet, allowing for cheap (or free!) exchange of low latency traffic.

The idea is simple: if a lot of networks are in the same datacenter, why have them spend a fortune connecting to each other with direct cables? We can add some switches there, everyone connects to one of them, and then they get a Layer 2 connection to all other participants.

Introducing TP: A Zero Trust Secure Proxy

Wed, 15 Nov 2023 00:00:00 +0000

Over the past few years I’ve been building a significant infrastructure that contains a network with great connectivity, state-of-the-art compute capabilities based on Kubernetes, and a lot of automation to keep it running.

This serves as a great testbed to experiment with and implement all sorts of technologies, including a Zero Trust security model. That’s increasingly more popular today, with many commercial offerings to help enterprises reap its benefits.

As you can see in my previous posts, I have built an ACME CA which I am using to issue TLS and SSH client certificates to all of my devices, such as my laptop. That’s great, but how can I connect to all my services now using these?

Reset passwords after a data breach?

Thu, 27 Jul 2023 00:00:00 +0000

Today I received an e-mail from a website I am using regarding a data breach that seems to have leaked the user database. The message was well written, and it prompted users to reset their passwords and enable 2FA. That’s great, right?

In this post I’d like to argue that blindly moving to password resets and calls for 2FA isn’t necessarily the best first step for such situations. There’s more that needs to happen in advance, otherwise you may even lower the security of your users.

L3 Hardware Offload on MikroTik CRS326

Sun, 05 Feb 2023 00:00:00 +0000

With the release of RouterOS 7.1, MikroTik added L3 HW Offload. But what is that?

In order for a router to deliver packets correctly, for each one of them that arrives in one of its interfaces, it needs to look up at the destination IP address, and then determine what is the right port that it should go out of.

In order to decide, it uses an internal table, the routing table. This contains the match between destination and interface. Some more advanced tables even contain the source as well, or other parameters to take into account. A simplified version looks like this, for IPv4:

End-user Client Certificates with ACME

Tue, 06 Dec 2022 00:00:00 +0000

DISCLAIMER: I am currently working for Google. This post is published in my personal capacity, without using any knowledge I may have obtained from my employment with them. All the information provided here is coming from purely personal time and effort and does not represent the opinions or practices of my employer.

In my previous blog post I described how I built my own ACME CA to issue workload certificates for the various services I am running. The only thing left out was one final use case. End-user client certificates. This post helps complete the “vision” of the “mTLS Universe”. After reading this out loud, I can see how it may sound like a nightmare for some… :)

Workload mTLS with ACME & Go

Mon, 05 Dec 2022 00:00:00 +0000

ACME, standardized in RFC8555, provides for a way of automatically issuing certificates at scale, using an API, and eliminating all manual work. Most of the TLS certificates issued today in the WebPKI are issued using ACME. It is an enormous milestone for a protocol first presented in 2016 and standardized in 2019!

A scalable OCSP Responder on Cloudflare Workers

Wed, 16 Nov 2022 00:00:00 +0000

We use X.509 certificates everywhere today, many times a day, without knowing so. They are used to secure TLS, e-mail via S/MIME, VPN servers, etc. They even help protect your connection right now, as you are reading this blog post.

Fixing IP Geolocation: An ISP Guide

Thu, 03 Nov 2022 00:00:00 +0000

There are probably infinitely many reasons why one might want to know the approximate location of a device based on its IP address. However, this information is not part of any Internet protocol, therefore third party services are trying to determine, with the highest accuracy possible, where each address probably is. There are plenty of free and commercial offerings that can provide this to operators.

AirPrinting across networks

Mon, 27 Dec 2021 00:00:00 +0000

Thanks to Apple, a lot of modern printers and scanners today come with AirPrint and AirScan, which allows seamless operation of capable devices over the network, e.g. from an iPhone or a Mac. Linux even went ahead and added support for that and now users of this OS can finally print too :)

However, due to how AirPrint works, it does not work across Layer 2 domains such as VLANs, or over IP-routed networks. Luckily, this is not a problem that can’t be solved. In this post I am publishing the process I followed to allow printing over any type of network, even across countries.

Configuring COSMOTE VoIP on your PBX

Wed, 01 Dec 2021 00:00:00 +0000

About a month ago, for technical reasons, I was no longer able to use COSMOTE’s CPE in a landline connection with a traditional telephone. I could either spend time and money in the middle of a pandemic, to have contractors visit and route some cables, or, I could take the opportunity and do something I’ve been hearing about recently, which is to switch the service to VoIP, and terminate it to my own PBX.

The utilization of 44/8: the reason I mapped IPv4 & IPv6

Sat, 15 May 2021 00:00:00 +0000

In the early days, when the Internet was just beginning, back in 1981, radio amateurs were allocated, by what is now known as IANA, an IPv4 block for usage and experimentation by all members of this hobby, internationally. This block was 44.0.0.0/8, which is a huge amount of address space by today’s standards, but effectively the only allocation size back then.

This network was mainly used under the “AMPRNet” name and utilized packet radio, or to put it simply, a packet-based network (like the Internet) over radio frequencies, wirelessly. This network was able to interconnect “hams” (the people that have been licensed to practice this hobby) around the world, and provide them with digital connectivity before (access to) the Internet was generally available.

I lost my wallet(s)!

Sun, 09 May 2021 00:00:00 +0000

It is currently 2021, and cryptocurrencies have scored an all-time high in terms of price, more than doubling the previous event that happened in 2017. For the record, a Bitcoin (BTC) went for over 51,000 EUR. Even large companies like Tesla are buying large volumes.

So during this time, I was wondering if cryptocurrency theft is also on the rise, because of the increased returns of performing these illegal actions. After all, it makes sense to try and obtain something by any means, especially when it became extremely more valuable than before.

The IPv4 Map of 36C3

Fri, 03 Jan 2020 00:00:00 +0000

Last year (three days ago), I visited 36C3, the 36th Annual CCC event, held in Leipzig, Germany. This is an event with thousands of attendees, that gather together to attend talks, hack things, create tools, showcase new projects, etc. It is an amazing event, that I simply can’t recommend enough.

During this event, the C3NOC, under the trademark CCC Internetmanufaktur™, provides an amazing network, both wired and wireless, for attendees to use. It spans the entire event area, and people use it extensively. This network is dual-stack, which means it runs on both IPv6 and IPv4.

Mapping the Greek Internet - Oct 2019 Edition

Mon, 04 Nov 2019 00:00:00 +0000

On October of 2019, I attended RIPE79 in Rotterdam, which was a very good experience. I had a chance to meet new people, talk to people I already knew, exchange ideas, and discuss various topics. It’s a very good event, and Ι recommend it, if you can attend.

During one of the conversations I had there, ironically with another guy from Crete, Vasileios Kotronis, we discussed about how some companies pay large sums to obtain IPv4 space, yet some others, especially univerities, have vast and unutilized address space. And then we wondered, if there was a way to know how much IP Space is being used, and how much isn’t, and it’s just sitting there.

Academic Publications

Sat, 05 Oct 2019 00:00:00 +0000

Welcome to the academic part of this website. Here you can find my academic profile, as well as a list of my peer-reviewed publications, including all the files, in PDF format. My profile on Google Scholar is this. And here’s DBLP. My current academic affiliation is Undergraduate Student, at the Computer Science Department, of the University of Crete.

List of Publications

A First Look into Long-lived BGP Zombies, Iliana Xygkou, Antonis Chariton, Xenofontas Dimitropoulos, Alberto Dainotti, 2025 ACM Internet Measurement Conference (IMC ’25)
OUTOPIA: Private User Discovery on the Internet, Panagiotis Papadopoulos, Michalis Pachilakis, Antonios A. Chariton, Evangelos P. Markatos, 15th European Workshop on Systems Security (EUROSEC ’22)
Design and Implementation of a Compressed Certificate Status Protocol, Michalis Pachilakis, Antonios A. Chariton, Panagiotis Papadopoulos, Panagiotis Ilia, Eirini Degkleri, Evangelos P. Markatos, ACM Transactions on Internet Technology (TOIT)
Øpass: Zero-storage password management based on password reminders, G. Tzagarakis, P. Papadopoulos, A. A. Chariton, E. Athanasopoulos, E. P. Markatos, EuroSec 2018
Where’s Wally?: How to Privately Discover your Friends on the Internet, P. Papadopoulos, A.A. Chariton, E. Athanasopoulos, E.P. Markatos, AsiaCCS 2018
CCSP: A compressed certificate status protocol, A.A. Chariton, E. Degkleri, P. Papadopoulos, P. Ilia, E.P. Markatos, Infocom 2017
Leveraging DNS for timely SSL Certificate Revocation, E. Degkleri, A.A. Chariton, P. Ilia, P. Papadopoulos, E.P. Markatos, womENcourage 2016
DCSP: Performant Certificate Revocation a DNS-based approach, A.A. Chariton, E. Degkleri, P. Papadopoulos, P. Ilia, E.P. Markatos, EuroSec 2016

Contact Information

Sat, 05 Oct 2019 00:00:00 +0000

If you’d like to contact me, apart from the various social options available in the menu, you can use the following e-mail addresses, which are the preferred methods of communication:

Preferred

daknob@daknob.net

Gmail

daknob.mac@gmail.com

ProtonMail

daknob@pm.me

The state of RPKI Deployment in Greece

Mon, 25 Feb 2019 00:00:00 +0000

RPKI, or Resource Public Key Infrastructure, is a way to cryptographically produce and sign messages that bind a particular IP prefix with an originating Autonomous System. It essentially contains the information “192.0.2.0/24 up to /24 can originate in BGP from AS64500”. Or, “2001:db8::/32 up to /48 can originate in BGP from AS64500”.

These messages, after they are signed by the rightful owner of 192.0.2.0/24 or 2001:db8::/32, can be made available to anyone, so network operators can protect against accidents, such as a typo, causing traffic to be sent to the wrong destination, or against malicious attacks, with the purpose of hijacking IP prefixes using BGP, to monitor or change traffic.

Not everyone works for you

Tue, 07 Mar 2017 00:00:00 +0000

In the past few days, a lot of people started complaining about Let’s Encrypt and how it has issued TLS Certificates for PayPal. Various posts like this were written to complain about that, and some people even went as far as writing blog posts for Let’s Encrypt to stop issuing certificates with the word “PayPal”.

Apparently, a lot of people agree with this. That last blog post even mentions that Certificate Authorities performed checks and still do, to try and avoid issuing certificates with this word. Luckily, some people are still reasonable.

"Security" companies and abuse e-mails

Tue, 07 Feb 2017 00:00:00 +0000

The Internet, like almost anything invented by humans, has been used to conduct malicious acts. This can be something not really important like comment spam, all the way to very important cases that are usually investigated by law enforcement like private information and user data theft. While running a Tor Exit Node, I had the chance to witness a lot of that stuff. This, unfortunately, isn’t an easy problem to solve, and most approaches have failed.

Debian Firewall when using Docker

Mon, 02 Jan 2017 00:00:00 +0000

Having a firewall is something that’s necessary, in my opinion, for every server. Not only for those with a Public IP Address, for any server. Not only for IPv4, for any IP version.

Running a firewall and managing it adds overhead to the server administration and most people either ignore it, or use their provider’s firewall. Amazon and Google have done a great work in pushing people to use them in their clouds, but often that’s not enough.

Guarding your Tor Exit's DNS

Tue, 04 Oct 2016 00:00:00 +0000

In the past few days, a study was released detailing some attacks against the Tor Network. These attacks made it into the news because one could compromise Tor Users’ anonymity by examining the DNS queries from exit nodes.

The argument made by the researchers is that while HTTP traffic may be encrypted, DNS traffic is sent in plaintext, and can usually traverse more networks, before it eventually reaches its final destination. In addition to that, they also discovered that about 40% of the Tor Exit Nodes use Google’s Public DNS’, in the IP Addresses 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, and 2001:4860:4860::8844.

Running a Tor Exit Node for fun and e-mails

Fri, 02 Sep 2016 00:00:00 +0000

The Tor Project is a non-profit organization in the United States that created Tor, The Onion Router, a free software that creates an open network of volunteers which helps people anonymize their traffic by routing it through three or more other computers before it reaches its final destination.

Tor got its name from the encryption that happens during the relaying of the information. Every time a user wants to access a website using Tor, they create a circuit between three or more nodes in the network. Afterwards, they encrypt the data with the last node’s public key, then they encrypt the output with the middle node’s public key, and finally they encrypt that output with the first node’s public key. This creates an message with several encryption layers, which needs to be peeled by each node like an onion.

Capturing flags in Thessaloniki

Fri, 26 Aug 2016 00:00:00 +0000

Earlier this summer, I have participated in the organization of a Capture the Flag competition in Aristotle University of Thessaloniki for students of the Computer Science / Informatics Department. It was co-organized by me, Spyridon Rafail Panagiotopoulos, and Kostas Mpenos, and supervised by Dr. Konstantinos Draziotis.

Organizing a Capture the Flag competition is not easy, especially in our situation where we had almost 3 days to do everything. This included coming up with challenges, designing and setting up the infrastructure, publishing information about the event, and in general doing everything that’s needed. For those familiar with such things, this is a very difficult thing to accomplish. Luckily, we managed to pull it off, with something like 4-5 hours of sleep total during these days.

Setting up EdgeMAX Devices for OTE IPv6

Thu, 07 Jul 2016 21:30:00 +0000

I spent some time yesterday trying to make an EdgeMAX device, namely the EdgeRouter X SFP work in an OTE ADSL connection. Setting it up is very easy, however I found IPv6 a little bit trickier to implement properly, therefore I am writing this as a documentation (for future {generations, reference}).

This tutorial is simple and works on all EdgeMAX Devices like the EdgeRouter X, EdgeRouter Lite, EdgeRouter PoE, EdgeRouter, and the amazing EdgeRouter Pro. The only thing it needs is the CPE provided by the ISP, in this example a ZTE H108NS by OTE, and PPPoE credentials with support for IPv6.

Get eBay Users' Personal Info for free!

Thu, 07 Jul 2016 00:00:00 +0000

eBay is one of the largest e-commerce websites available, especially to people in countries without Amazon. It does not sell its products directly, but instead relies on its users, therefore making an important distinction between sellers and buyers.

Technically speaking there is not any restriction, which means a buyer can sell an item, and, of course, a seller can buy something, however usually you find accounts that only do one thing. Each user has a score on their profile as a seller and as a buyer, which means the reviews of every transaction are not merged.

In Transparency, Size Matters

Thu, 23 Jun 2016 00:00:00 +0000

In my previous post I spent one week without access to non-HTTPS websites. It was difficult, but I managed it. It was a challenge to determine how much of the web is HTTPS yet. It went well, mostly thanks to CloudFlare, but got me thinking about HTTPS again.

See, one of the three benefits of using this, more secure, protocol is authenticity. When a website has a valid certificate, there’s a Certificate Authority out there somewhere that has explicitly marked this public/private key pair as trusted, and therefore your device inherently trusts it. More specifically, it marked this as trusted for only a specific domain or collection of domains, not for everything.

A Secure Week

Tue, 21 Jun 2016 00:00:00 +0000

As an engineer, I am genuinely interested in challenges. Not necessarily the problem-solving challenges that we can face daily as a profession, but others forms as well. This is why I decided to challenge myself in a computer security related way.

For some of my daily Internet browsing, I make use of Google Chrome, and I have the HTTPS Everywhere extension installed. What this browser extension (claims it) does is check every website I visit and determine whether there is an HTTPS version available, and if there is, it redirects me there.

The callback

Tue, 15 Mar 2016 00:00:00 +0000

Every two years my phone contract expires. This is the maximum duration of a phone contract for an individual so I have to spend some time on updating it every now and then. The problem is that every time there are new offers and usually your old plan is not available. So you have to find a new one.

After looking at the new plan catalogue of my carrier, I figured that for the same specs (talk time, SMS and bandwidth) I need to pay a little bit over 2.5x more money than before. Of course, that is something no sane person would do. So I started looking at the competition for solutions.

Now on Tor!

Thu, 07 Jan 2016 00:00:00 +0000

The Tor Project is a famous network with an anonymizing alternative routing protocol called The Onion Routing Protocol. The way it works is several people run Tor nodes around the world and your traffic is being routed through at least three of them, before reaching its destination.

Its intended use is to avoid censorship in countries like China, with the Great Firewall, and in general provide unrestricted and anonymous access to websites.

Grab some popcorn and launch Popcorn Time

Sun, 02 Aug 2015 00:00:00 +0000

Movie and TV Show Piracy has been going on for years. There are many websites that offer movie streaming online for free, as well as many torrent sites that provide you with links to download and watch anything. However, even pirates want simplicity and friendly user interfaces from time to time. This is where Popcorn Time comes to play. It provides an easy-to-use, Netflix-style UI for people to browse for Movies, TV Series and Anime.

Password Managers and Security Questions

Fri, 24 Jul 2015 00:00:00 +0000

Nowadays, with all the website hacks the user credentials leaked, a password manager is one of the most valuable assets. It allows you to use a different, ridiculously long and completely random string as a password for every website you visit.

That way, even if a website is actually hacked, and the hackers retrieve the password hashes, it would take them billions of times the age of the universe to crack your password. But even if they managed to do that, or if the website stored the passwords in a plain-text format, getting the password would serve them of no use.

e-Voting: Math vs. Implementation

Thu, 09 Jul 2015 00:00:00 +0000

Technology has a deep impact in most people’s lives today. We all use the Internet when possible and we seem to do almost all we can online. We pay bills, we buy food and goods, etc.

One of the things we don’t do yet is vote electronically for critical elections, like Government / Presidential Elections or a Referendum.

In the traditional voting process, millions of euros are invested in a single voting event because we think more people can walk up to a certain place and vote than can vote using an Internet-connected computer. We also don’t completely understand the technologies behind e-voting and we don’t trust them. This can be the case because we still have a fear for technology.

The Best HTTPS Configuration

Mon, 22 Jun 2015 00:00:00 +0000

Nowadays, the web is moving towards making HTTPS mandatory across all websites. Initiatives like Let’s Encrypt that offer dead-simple https installation, or Root CAs like StartSSL that offer unlimited free certificates or even browsers like Google Chrome that already started deprecating HTTP all contribute into going towards this direction. Many of us think this is the correct way. An HTTPS-only web provides a lot of great advantages over the traditional, HTTP one. However, just because you can see that little green https:// in your address bar doesn’t mean you’re secure. There is a vast amount of possible SSL/TLS configurations that a system administrator can make that range from the most secure one yet, all the way to “Rebranded HTTP”. Currently, configuring a web server to be really secure is increasingly difficult and requires the administrator to always watch the latest news for the upcoming attacks and deprecations that may require a change in the configuration. Fortunately, tools like Qualys’ SSL Server Test make the job a little bit easier, as you can run that test against your (or anybody else’s) servers and see a little nice grade on how well you did. This grade can range from A+ all the way to F, or even T. At least that’s how low I’ve seen it go. Maybe you can make an even worse configuration.. ;-) Now getting an A+ is not really difficult and ensures that your website is relatively secure, at least as far as HTTPS is concerned. Let’s see how we can get this grade in Apache 2.2.22 on Debian Jessie 8.0 with mod_ssl. For this to work, you need a valid HTTPS Certificate from a Trusted Certificate Authority. In order to start for free, you can use StartSSL. Now you need to make sure this certificate is signed with SHA-2 or SHA-256 (actually the latter is a part of the first). After that, you can create a VritualHost for your secure website:

Chrome, Chromium, and Certificate Caching

Thu, 18 Jun 2015 00:00:00 +0000

Just like a good System Administrator, I set on one day to replace the current certificate for the main site that’s used for HTTPS. I issue a new CSR, I send it to the Certificate Authority, I get the Signed Certificate, Revoke the old one and after a total of 5-10 minutes I have the web server serving the new certificate to all connecting clients.

Of course, I need to verify that I do indeed serve the new certificate and everything went correctly. I had the website open in Google Chrome on Mac OS X and I had not refresh it yet after the certificate change. I click the https:// before the URL and I examine the certificate. Everything is fine, since the certificate is the old one. I press ⌘+R, which is refresh for all you Windows / Linux / BSD users to refresh the page, I click the certificate and I still see the old version. I ssh into the web server again, reload the configuration, refresh again, and still it shows the old certificate. I even try restarting the entire web server, still nothing. I go to Chrome, press ⌘+Shift+R, which is Force Refresh (purge cache), and I still see the same certificate. I type the URL again, press Enter, still the same. I open a new Tab, a new Window, still the old certificate. Every other browser could perfectly see the new certificate so it must be something with caching.

Physical Security - Bad Design Practices

Thu, 18 Jun 2015 00:00:00 +0000

Today I happened to visit a store that had the front desk, and a designated area in the back that was only accessible to employees. It had a nice big lock that only opened after successful RFID Authentication. It seemed like a system that may not be trivial to bypass unless you get a card cloner, get the card content and hope it’s not dynamic, and in general it seemed secure.

Authentication In File Uploader

Wed, 17 Jun 2015 00:00:00 +0000

Introduction

In my Department at the University Of Crete we have a set of computers where you can login using ssh(1) and access all your files, write code, run programs, and in general perform all tasks you may need without having to ~~install linux on~~ remove Windows from your computer. For “Security” reasons, these computers are behind two stripped, chrooted “Gates”. You cannot ssh into one of the computers directly, you first have to ssh to one of the gates and then from there ssh into your desired computer. Pretty much the only thing in the gates is ssh(1) and enable, the second of which does a port forward to the computer you need.