HackerTrans
トップ新着トレンドコメント過去質問紹介求人

Ayesh

no profile record

コメント

Ayesh
·2 か月前·議論
PHP has quite a lot of oddities such as how loose comparisons (`==`) are made, numeric-strings, and type coercion. But the two oddities mentioned in the article are not that "odd" with a bit of context.

- PHP has `SplFixedArray`[^1] that work similar to the standard arrays you expect from other languages. SPL extension is always available in PHP 5.3+, it is not even possible to compile PHP without it anymore. There is no specific type for list-arrays and associative arrays, but there is an `array_is_list` function to quickly check it.

- For typed properties, if a property is not typed, it is effectively considered `mixed $var = null`. If the property is typed, and has no default value, then it is considered uninitialized, and not allowed to access.

[^1]: https://www.php.net/manual/en/class.splfixedarray.php
Ayesh
·5 か月前·議論
I think the previous post is talking about a search that will find the sibling domain names that have obtained certificates with the same account ID. That is a strong indication that those domains are in the same certificate renewal pipeline, most likely on the same physical/virtual server.
Ayesh
·5 か月前·議論
I'm surprised the ballot passed, unanimously even! I get that storing the DNS credentials in the certificate renewal pipeline is risky, but many DNS providers have granular API access controls, so it is already possible to limit the surface area in case the keys get leaked. Plus, you can revoke the keys easily.

The ACME account credentials are also accessible by the same renewal pipelines that has the DNS API credentials, so this does not provide any new isolation.

~It's also not quite clear how to revoke this challenge, and how domain expiration deal with this. The DNS record contents should have been at least the HMAC of the account key, the FQDN, and something that will invalidate if the domain is transferred somewhere else. The leaf DNSSEC key would have been perfect, but DNSSEC key rotation is also quite broken, so it wouldn't play nice.~

Is there a way to limit the challenge types with CAA records? You can limit it by an account number, and I believe that is the most tight control you have so far.

---

Edit: thanks to the replies to this comment, I learned that this would provide invalidation simply by removing the DNS record, and that the DNS records are checked at renewal time with a much shorter validation TTL.
Ayesh
·5 か月前·議論
Yes, and it's not that long ago, or I aged really quickly.

For code signing certificates and EV certificates, (and OV certificates, if they are even alive), this is still the case.
Ayesh
·5 か月前·議論
LetsEncrypt doesn't see your private key when you obtain the certificate. So no, it's not _really_ a juicy target.
Ayesh
·5 か月前·議論
If you update via Winget, you are probably safe.

Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
Ayesh
·7 か月前·議論
Microsoft had a very fair shot at redeeming themselves, but with how Teams, GitHub and all the AI crap they push into GitHub and Windows, it's clear they have not changed one bit.
Ayesh
·7 か月前·議論
I know that HN replies must carry some substance, unlike majority of Reddit comments. But I wanted to say that this comment read line a poem to me.
Ayesh
·7 か月前·議論
Local meetups are very easy to get selected into, and they often have two or three speakers lined up, with a balance of speakers they know and are experienced, and new speakers.

Most of the time, the organizers are squeezed to find a speaker, so you are pretty much guaranteed to be offered a slot if you just ask the host.
Ayesh
·7 か月前·議論
I imagine it'll go against your talk getting into the shortlist.

But there are some conferences that ask and respect your preference whether you'd like the video recording to have your face or just the audio. But I have yet to see a conference that go as far as asking the audience to not take photos of the presenter, so it's pretty much moot if you do not want your photos published at all.
Ayesh
·7 か月前·議論
To prove a very important point, that EV certificates are broken, someone obtained a "Stripe Inc." EV certificate by registering a company in a different state.

https://arstechnica.com/information-technology/2017/12/nope-...

(The original site is no more, but this Arstechnica article has screenshots and a good summary)
Ayesh
·7 か月前·議論
Considering how many ACME clients are available today with all sorts of convenient features, and that many web servers nowadays have ACME support built in (Caddy, Apache mod_md, and recent Nginx), I believe that people who don't automate ACME certificates are the people who get paid hourly and want to keep doing the same boring tasks to get paid.
Ayesh
·7 か月前·議論
https://github.com/letsencrypt/boulder

You can find a docker-compose.yml file to get some idea.

Appears to be using MariaDB.

They shut down OCSP responders and expiry email reminders, so there really is no need to have a database apart from rate limits, auth data, and caching.

For Certificate Transparency, they are submitted to Google and CloudFlare run trees but I don't think LetsEncrypt run their own logs.
Ayesh
·7 か月前·議論
As someone else mentioned, it's a non-profit, so I guess it's not technically possible to get acquired.

But I personally believe that the people behind LetsEncrypt genuinely care about the mission and will never sell out for their personal benefit.

If there was a list of organizations that bring the most impactful things to tech per each dollar received in donations and per each employee, ISRG will be up there at the top.
Ayesh
·7 か月前·議論
It's been a long time so this is my fading memory, but CAs used to generate a private key on their end and let you download both private key and the certificate containing the public key. The non-technical person who paid big money for the certificate then emails the zip file to the developer. That's when StartTLS wasn't that big back then either.

Just comically bad way to obtain certs.
Ayesh
·8 か月前·議論
This must be how winning in life feels like. I wish your family good health.
Ayesh
·8 か月前·議論
the MySQL extension was dropped in PHP 7.0.
Ayesh
·8 か月前·議論
iOS shoots HEIF natively I think.

Raw photos probably are shot in DNG. DNG "images" are popular for raw images because theyb can be losslessly converted from to the camera raw formats like the Nikon's, and DNG is open source and royalty free.
Ayesh
·8 か月前·議論
Thank you. The linked third party article is a terrible incomplete rehash.
Ayesh
·8 か月前·議論
Canonical URLs come to the rescue.