DaKnOb

ISRG is hiring an SRE to help keep the world’s largest certificate authority running. Come join our team and help us make the internet safer for all. abetterinternet.org/careers/le-sre…

After a constructive engagement with @ThreemaApp during responsible disclosure, this is unexpectedly dismissive. We broke their protocol 6 ways. They updated it, thanks to our work (breakingthe3ma.app). So of course our work applies to an old version.

We (@winterdeaf @kientuong114 and I) took a deep dive on Threema, a Swiss-made secure messaging app. We found 6 new cryptographic vulnerabilities. Full paper at breakingthe3ma.app; mini-thread follows. #threema

It takes a good six-year-old with a gun to stop a bad six-year-old with a gun.

GitHub on finally deploying IPv6.... 😊🤗 (@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#adding-an-allowed-ip-address" target="_blank" rel="nofollow noopener">docs.github.com/en/enterprise-…)

Don't dump LastPass because of 7 breaches, dump them for crap crypto: Padding oracle vulns, ECB pass len leaks, switch to CBC for new vaults not old ones, vault key uses AES256 but only 128 bits entropy, key webui leak, silent KDF downgrade, KDF hash log leak, keys left in mem.

@Scott_Helme @troyhunt @Yubico @Cloudflare The blue keys that are cheaper are perfectly fine for 2FA and to some degree as Passkeys / for Passwordless login. The black keys are only needed for the Nano form factor, the Lightning connector, or their other applications (PIV, GPG, etc.).

@troyhunt @Yubico @Cloudflare Did you make any progress on this? I’m going to try out the cheaper NFC key which is a much better price to get people setup. I assume this one will work fine? yubico.com/gb/product/sec…

Who's doing a good deal on @Yubico keys these days? I should have bought more when this @Cloudflare offer was out, but looks like you can only claim it once and it's a massive markup buying them retail 😔

🎉 bgp.tools has passed 500 Online BGP sessions! Thanks to the networks that have made this possible We now have really quite good routing visibility in EU and a lot of the US, But isn't the whole world! The focus is now Africa, APAC, and LATAM!

This video of cops in Nevada searching a suspect and finding a seed phrase is pretty wild. Imagine having your seed phrase become part of public record due to it being captured by an officer's body camera!

Svaq zr ba Znfgbqba nf wctbyqoret@vbp.rkpunatr

@aris_ada I have a little bit more, 1/5th, however it’s just one specific set of people mostly, which means Mastodon now is not covering everything I used to see here. I used fedifinder.glitch.me to find everyone and add them on Mastodon so I can begin the migration.

POV: You're a security consultant hired to be embedded in a web development team

Europe’s new cyber security legislation NIS2 officially signed! 🥂

@DaKnObCS Oh yeah, forgot about that. I'm pretty sure we have the plumbing for this, let me see if we expose it.

@mholt6 It seems to be working just fine: crt.sh/?q=sl.daknob.n… We just need more CT Logs to make this sustainable ;)

@mholt6 Google Trust Services supports setting the notBefore and notAfter via ACME so you can specify the exact duration, for up to 90 days. I’ve been using it with this patch: go-review.googlesource.com/c/crypto/+/454… Works fine, and I added it as “requested” to convey the fact that it may not happen.

I forget exactly when, but some time ago Caddy became the first (and only, so far?) server to implement all 10 of Sleevi's famous OCSP implementation recommendations. @caddyserver has the most robust and mature OCSP implementation of any server available. gist.github.com/sleevi/5efe9ef…

@mholt6 I’ve gotten some of my certs down to 3 days and daily renewals without problems. Would you consider adding support for custom validity to Caddy / your libraries to request them via ACME? I would be happy to trial 3 or 7 day certs with Caddy!

We have cert lifetimes down to 90 days. Get it down to 7 and there's practically no need for revocation at all. I know that's a tall order, but if we can dispose of all our revocation infrastructure, we can use those resources for issuance instead.

Pulling MikroTik into the Limelight margin.re/2022/06/pullin…