If so, neither haproxy nor nginx expire cached A records.
Nginx Plus does, and a few nginx plugins do, however.
https://github.com/airbnb/synapse is a process that polls DNS, and updates haproxy config accordingly and SIGHUPs haproxy I've used synapse to solve this issue, but it's a moving piece I'd rather not have involved.
While I'm excited to be able to use haproxy for this, one alternative on nginx is to store the hostname you want looked up dynamically in a variable, and use that variable in a proxy_pass directive or equivalent. E.g. "proxy_pass http://$backend:80;" will cause Nginx to pass the value $backend to any resolver you have defined dynamically without needing Nginx Plus.
You might argue "well why bother with U2F, if you are going to set up TOTP anyway", to which I respond that using U2F is still a net win, because for the times you use U2F, you are safe from phishing attacks.
That in an emergency situation you have to use TOTP, and thus be vigilant that you aren't being phished, does not negate the benefits from having used U2F previously.
I can see that by enabling TOTP as a second-factor, it increases your attack surface. That is, you now have to care about whether your TOTP secret has been leaked. I consider this cost to be small, compared to the benefit of being able to fallback to TOTP. Others may decide this tradeoff isn't worth it.
It's still not clear to me how u2f prevents phishing. If I was being proxied through a site with a valid tls cert, they still gain my password and a session key.
U2F keys are linked to the associated domain (e.g. google.com or dropbox.com), so your U2F would not present your google.com key to a U2F prompt on googlehax.com
This stops the proxy attack you describe getting a session key, but not getting your password. Of course, the password alone is insufficient.
The browser passes the origin (protocol + hostname + port) to the key. This field is included in the data the key signs. The signature would not match for an authentication response obtained via phishing because of that.
Your original description is a bit ambiguous: were you referring to a case where the actual domain was being successfully man-in-the-middle'd with a valid TLS certificate? That's not something U2F aims to solve (and not something that people generally refer to as phishing).
Edit: Small correction: U2F makes use of TLS ChannelIDs, which, if I understand correctly, would help in that scenario (MitM with a trusted-but-attacker-controlled certificate on the "real" origin). I'm not sure if anyone other than Google makes use of this yet, as it requires a new TLS extension on the server.
No, you answered my question. I accepted that any/most/all authentication breaks down in some way of you can't trust tls certs or the browser/user agent.
The Home Secretary is a proxy for the security services. Not the police, I'm referring to MI5. It doesn't seem to matter who holds the job, they've been pushing this for decades.
MI5 have no interest in things like warrants or courts and a rather murky history in Northern Ireland.
I think GP's point is the warrant isn't needed. I guess whether it is relevant to your comment depends on whether your point is that a warrant is required despite their authority, or that you are simply pointing out that those in authority have a default duty/right to an individual's private conversations.
If you remove the technological protections, the communications become accessible not only to law enforcement but also to malicious people - cryptography doesn't care if you have a warrant or not.
A particular communications channel either is secure from anyone or it's vulnerable to everyone. If UK home secretary argues that we shouldn't be allowed to use secure channels, then that does imply that all such communications will be vulnerable to all kinds of criminals as well.
The superficial solution to this is not to outlaw cryptography completely, but to require those who make cryptography available to keep master keys and/or logs.
I know that these are not a real solution as they can be leaked or abused, but it's best that we don't pretend not to hear this argument. We should make clear that these are insufficient and that there's nothing wrong with private communications truly remaining private.
> The superficial solution to this is not to outlaw cryptography completely, but to require those who make cryptography available to keep master keys and/or logs.
The infrastructure keeping those keys then becomes an irresistible target to compromise. The government has already lost critical data such as the application data for most/all Classified personnel in the military and contractors. If that kind of data cannot be kept safe then you can be sure that a legally centralized infrastructure to keep keys will be attacked, and likely compromised at some point.
> The superficial solution to this is not to outlaw cryptography completely, but to require those who make cryptography available to keep master keys and/or logs.
Completely or not completely, so to outlaw the strong crypto without a backdoor and put privacy activists who create such tools behind bars? I see where the UK is headed.
> but it's best that we don't pretend not to hear this argument
not "best", even if "reasonable, yet complicit". Best would be neutering these governmental bodies who are so accustomed to forking us whenever we roll over.
This is the argument raised by security experts in http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAI... , which I'm not qualified to disagree with. It seems strong! Even if it were technically possible, I expect there's also a strong argument along the lines of asserting our right to privacy.
She wants to institute pervasive spying (targeted spying can be achieved by individually planting hardware backdoors, or simply recording the suspect entering their password).
But pointing out the harms of pervasive spying is a weak argument, because she didn't deny (or even address) those harms?
> She wants to institute pervasive spying (targeted spying can be achieved by individually planting hardware backdoors, or simply recording the suspect entering their password).
I can see targetted spying is possible today. It sounds like she wants targeted spying to be cheaper, and restricted by the judicial system.
> But pointing out the harms of pervasive spying is a weak argument, because she didn't deny (or even address) those harms?
The argument I replied to wasn't pointing out the harms of pervasive spying. Nor was your argument.
"If she wants law enforcement to be able to see other's metadata, she should expose her metadata" is weak. We needn't waste time with that.
There are stronger arguments, such as asserting our right to privacy, or perhaps that it isn't technically possible without critically compromising encryption for everybody.
I don't know if you're being deliberately obtuse, but I'll humour you:
> It sounds like she wants targeted spying to be cheaper, and restricted by the judicial system.
The cheaper that spying is, the more spying gets done - this has been repeatedly shown in many countries, even supposedly free ones, so lets not pretend this will result in the government saving a few bucks on security. It will result in (continued) data collection on a massive scale, the kind that is increasingly being hampered by encryption. Does 'Snowden' ring a bell?
> ..wasn't pointing out the harms of pervasive spying.. ..she should expose her metadata..
While I agree that the argument "if she thinks it's okay she should let folks spy on her" is weak (it's always possible to find someone crazy/sold-out enough to do whatever is being pushed), that's not actually the argument, except in the most literal reading.
The argument is twofold. First, pointing out that there are harms and she's aware of them, despite not addressing them, because she refuses to disclose her communications. Second, that the spying will be used asymmetrically - you, dear citizen, will have all your communications recorded, stored indefinitely, and subject to discovery when some prosecutor or large corporation decides to do away with you. But try and find out which corporations are sponsoring which politicians, who owns them, and what kind of deals those politicians are making in your name, and you'll meet a stone wall of silence - just like in the TTIP negotiations.
But the OP put it more concisely and humorously.
> There are stronger arguments, such as asserting our right to privacy
I don't think this is a stronger argument. In fact, I don't think this is an argument at all. First of all, it's circular - the law shouldn't strip us of our right to privacy, because the law gives us the right to privacy. Second, it won't convince anyone, it's just pointing out the status quo - sure we have a right to privacy, but so what? What harm will come of losing it?
> First, pointing out that there are harms and she's aware of them, despite not addressing them, because she refuses to disclose her communications.
Though I'm skeptical of how much a 3m42s interview can be said to represent the entirety of her views, I'd say she alludes to the harms by referring to such access as "warranted". That is, authorisation is restricted [because of the costs of unrestricted access].
> Second, that the spying will be used asymmetrically - you, dear citizen, will have all your communications recorded, stored indefinitely, and subject to discovery when some prosecutor or large corporation decides to do away with you.
This law would apply to politicians too, right? If they're suspected of a crime, a warrant could be issued for their communication details.
> But try and find out which corporations are sponsoring which politicians, who owns them, and what kind of deals those politicians are making in your name, and you'll meet a stone wall of silence - just like in the TTIP negotiations.
As mentioned, if those are crimes I expect them to be investigated similarly.
> I don't think this is a stronger argument. In fact, I don't think this is an argument at all.
Sorry yes, my single sentence wasn't the entirety of the argument. I was referring to arguments that rely on the benefits of privacy, rather than defeating a strawman (my, as you say, literal reading of top-level comment).
n^2 = sum(1..n) - sum(1..n-1) = 2sum(1..n-1) + n
=> n^2 - n = 2sum(1..n-1) => n(n-1) = 2*sum(1..n-1) => sum(1..n-1) = n(n-1)/2
And you can rewrite that as... sum(1..n) = n(n+1)/2