HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kenniskrag

502 karmajoined hace 7 años

Submissions

Mastodon: Don't use "Mastodon" or "mstdn" in domain names

github.com
4 points·by kenniskrag·hace 3 meses·8 comments

comments

kenniskrag
·hace 20 horas·discuss
I think compression would reduce the problem not? I think if you swap the wire format to something like jsonb you would need to parse it again anyway and pay the cpu time.
kenniskrag
·hace 2 meses·discuss
acme.sh supports multiple CAs there is even a RFC for CAs that describe the api.
kenniskrag
·hace 2 meses·discuss
I would define high as "double time needed to fix a dns issue" and account for weekends
kenniskrag
·hace 2 meses·discuss
What's the threat model. Where do you store the decryption key?

E.g. if my app needs a db connection I can ask a vault service but I need creds for that. The vault service can rotate the creds very fast but is it addition security.
kenniskrag
·hace 2 meses·discuss
Edit:

Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
kenniskrag
·hace 2 meses·discuss
> But then your hardware dies

A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.

Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
kenniskrag
·hace 3 meses·discuss
Pull request to notify on setup (2 weeks old): https://github.com/mastodon/mastodon/pull/38548
kenniskrag
·hace 3 meses·discuss
Is that legal? Do you avoid uploading somehow?
kenniskrag
·hace 5 meses·discuss
Not if the advertise zero knowledge encryption. As far as I understand the password sharing / collaboration feature is often the problem.

Second: The provider can get the passwords with a simple server change.
kenniskrag
·hace 5 meses·discuss
> Much like the other products we analyse, 1Password lacks authentication of public keys. This trivially enables sharing attacks similar to BW09, LP07 and DL02, something that the 1Password whitepaper...

> IMPACT. Complete compromise of vault confidentiality and integrity. The adversary can read and decrypt all vault con- tents encrypted after the attack, including passwords, credit card information, secure notes, and other sensitive data stored in the vault. Similarly, they can inject new items into the vault after the attack. REQUIREMENTS. The client fetches key material from the server, for example due to the user logging in on a new device. If executed on a non-empty vault, the attack results in the client losing access to all items already in their vault, while leaking any new items added to the vault after the attack took place. If the attack is executed at the time of vault creation, the attack is effectively undetectable by the client, since it cannot distinguish between a ciphertext it created and the ciphertext created by the server during the attack. PROPOSED MITIGATION. A straightforward mitigation is to have the client sign vault keys using the RSA private key in the keyset before encrypting them with the RSA public key. Ideally, two different key pairs would be used for...

from the paper: https://eprint.iacr.org/2026/058.pdf
kenniskrag
·hace 5 meses·discuss
In europe you need identification to buy a sim or esim.

https://www.reddit.com/r/europe/comments/9ziqfi/european_cou...
kenniskrag
·hace 5 años·discuss
Never heard about windex. Now I know.
kenniskrag
·hace 5 años·discuss
What do you have to implement?
kenniskrag
·hace 5 años·discuss
> toying with the idea of dropping daylight

Europeans turn back clocks for daylight saving, perhaps for last time. source: https://www.dw.com/en/europeans-turn-back-clocks-for-dayligh...
kenniskrag
·hace 5 años·discuss
Is cgit read only? Or do you have to restrict access (e.g. push)
kenniskrag
·hace 5 años·discuss
> there were bugs allowing people to push repos into other people's accounts (someone ran rampant on codeberg), you can view private repos via the Pages system and whatnot.

Do you have a bug report? I'm a gitea user and want to reproduce it.
kenniskrag
·hace 7 años·discuss
What do you recommend as server software for riot? I had some problems with the various bridges which the default server currently provides. Is the default server also provided with synapse?