As of July 2022, only 55% of sites have secure SSL implementations (configuration errors and renegotiation vulnerabilities seem to drive the 45% who are insecure). - SSL Pulse, Qualys SSL Labs - a monthly scan of security issues in SSL implementations across the top 150k Alexa sites (https://www.ssllabs.com/ssl-pulse/). Methodology (https://github.com/ssllabs/research/wiki/SSL-Server-Rating-G...).
This is really cool stuff. Does anyone have a good comparison between Privacy Pass and Anon-Pass (https://eprint.iacr.org/2013/317.pdf)? Is one better for subscriptions than the other?
Circle also does monthly attestations - independent, signed reviews by third party accountants - on USDC holdings. Those are available here: https://www.circle.com/en/usdc#transparency
I looked and the April '22 attestation seemed fine.
Even the FT article seems to walk back its claims about changes in the attestations as worrying, seems like their source actually is more concerned about digital currencies in general:
> “The problem to me isn’t the specifics of any one attestation, it’s the fundamental workings of these kinds of systems,” said Grey.
This is in addition to a managed database offering (mlab) for availability purposes, to reduce customer site downtime in the event of a hardware failure (keeps multiple follower copies replicated).
The oldest message from the twitter screenshot looks ~8 days old.
In the second tweet the user says "3 chats before the outage and now 15+ or more chats which I deleted before the week or two."
Two weeks (and in screenshots, only 8 days shown) does not seem surprising. Especially given the increasing rate of internet shutdowns across the globe [1].
E2EE is too important to play fast and loose with.
[1] "In 2020, Access Now and the #KeepItOn coalition documented at least 155 internet shutdowns in 29 countries." (https://www.accessnow.org/keepiton/)
These look like messages being re-sent from the service to the client.
This is not surprising - when you ask someone else to route messages for you, even encrypted messages, you are giving them the (encrpyted) payload and asking them to route it for you.
If you have a large network with billions of users, it's reasonable that some of the users' phones may be offline some of the time.
Should the service just drop messages on the floor when that happens, or buffer them in some queue (recall, they're E2EE) that gets emptied every so often?
Now assume all your infra has a hiccup (outage) and goes offline, and then comes online again.
Probably the retry logic didn't synch correctly and attempted to retransmit encrypted messages that had already been delivered.
1. Backups are opt-in - just as they have always been.
2. The E2EE backups do not rely on HSM's - they rely on a client-side only key derived by the WhatsApp client, on the user's phone.
3. The client-side key backup does not rely solely on HSM's - naturally, the client-side key must be backed up in case the user loses their phone. This key is itself encrypted and stored remotely (whether this is on third-party cloud or on WA servers is unclear from the report). However, decrypting it requires a user passphrase, known only to the user.
4. The design uses HSM's additively, not as the only support - via an OPAQUE exchange the user can combine their passphrase with a per-user secret stored in the HSM to derive, client-side, the key that unwraps the backup key. OPAQUE ensures WA cannot learn the user key material required to derive the key that unwraps the backup key.
This is all on page 6 of the published NCC report.
thanks for the reply! will have to check out Stripe's email/orderflow integrations, didn't know about those :)
does TypeDream support custom email domains? (example: [email protected])
re: A/B testing - my use-case is pretty simple. i have some assets i'd like to sell and want to A/B test what landing page converts the best (could also be useful to A/B test what landing page converts to the highest price/longest subscription if someone's selling subs).
alternative use-case -- A/B test what article titles lead to the most search engine (or other inbound referral) traffic. let's say i have a set of content i've created, i'd like to have test same blog post with different article titles to know which one performs the best
This is super cool work, congrats! I've been looking for a good low/no-code tool to build a static website to sell some assets I've developed, wondering if TypeDream can fit the bill.
How easy is it to:
+ A/B test pages (e.g. for conversions)
+ Measure user interaction to understand incoming referral, bounce rate, time on page, user journey, etc.
+ Integrate with other automation tools like n8n.io
I'm new to this so apologies if some of this is better served by other tools (suggestions welcome!).
For example, in addition to the stuff above, i'd like to:
+ send transactional emails to customers who buy a product
+ send update emails to customers when the product gets an update
+ add orders to Airtable/Google Sheets to track sales
(these could be handled with some automation integrations like n8n)
On the site itself, is it possible to:
+ allow comments (simple way to do this might be to include a twitter post with the article URL, displaying the twitter replies as comments on the TypeDream website)
Disclaimer: I'm exploring an open source, community VPN called OpenRelay here: https://github.com/triumphantomato/openrelay