HackerTrans
トップ新着トレンドコメント過去質問紹介求人

kenniskrag

502 カルマ登録 7 年前

投稿

Mastodon: Don't use "Mastodon" or "mstdn" in domain names

github.com
4 ポイント·投稿者 kenniskrag·3 か月前·8 コメント

コメント

kenniskrag
·16 時間前·議論
I think compression would reduce the problem not? I think if you swap the wire format to something like jsonb you would need to parse it again anyway and pay the cpu time.
kenniskrag
·2 か月前·議論
acme.sh supports multiple CAs there is even a RFC for CAs that describe the api.
kenniskrag
·2 か月前·議論
I would define high as "double time needed to fix a dns issue" and account for weekends
kenniskrag
·2 か月前·議論
What's the threat model. Where do you store the decryption key?

E.g. if my app needs a db connection I can ask a vault service but I need creds for that. The vault service can rotate the creds very fast but is it addition security.
kenniskrag
·2 か月前·議論
Edit:

Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.
kenniskrag
·2 か月前·議論
> But then your hardware dies

A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.

Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.
kenniskrag
·3 か月前·議論
Pull request to notify on setup (2 weeks old): https://github.com/mastodon/mastodon/pull/38548
kenniskrag
·3 か月前·議論
Is that legal? Do you avoid uploading somehow?
kenniskrag
·5 か月前·議論
Not if the advertise zero knowledge encryption. As far as I understand the password sharing / collaboration feature is often the problem.

Second: The provider can get the passwords with a simple server change.
kenniskrag
·5 か月前·議論
> Much like the other products we analyse, 1Password lacks authentication of public keys. This trivially enables sharing attacks similar to BW09, LP07 and DL02, something that the 1Password whitepaper...

> IMPACT. Complete compromise of vault confidentiality and integrity. The adversary can read and decrypt all vault con- tents encrypted after the attack, including passwords, credit card information, secure notes, and other sensitive data stored in the vault. Similarly, they can inject new items into the vault after the attack. REQUIREMENTS. The client fetches key material from the server, for example due to the user logging in on a new device. If executed on a non-empty vault, the attack results in the client losing access to all items already in their vault, while leaking any new items added to the vault after the attack took place. If the attack is executed at the time of vault creation, the attack is effectively undetectable by the client, since it cannot distinguish between a ciphertext it created and the ciphertext created by the server during the attack. PROPOSED MITIGATION. A straightforward mitigation is to have the client sign vault keys using the RSA private key in the keyset before encrypting them with the RSA public key. Ideally, two different key pairs would be used for...

from the paper: https://eprint.iacr.org/2026/058.pdf
kenniskrag
·5 か月前·議論
In europe you need identification to buy a sim or esim.

https://www.reddit.com/r/europe/comments/9ziqfi/european_cou...
kenniskrag
·5 年前·議論
Never heard about windex. Now I know.
kenniskrag
·5 年前·議論
What do you have to implement?
kenniskrag
·5 年前·議論
> toying with the idea of dropping daylight

Europeans turn back clocks for daylight saving, perhaps for last time. source: https://www.dw.com/en/europeans-turn-back-clocks-for-dayligh...
kenniskrag
·5 年前·議論
Is cgit read only? Or do you have to restrict access (e.g. push)
kenniskrag
·5 年前·議論
> there were bugs allowing people to push repos into other people's accounts (someone ran rampant on codeberg), you can view private repos via the Pages system and whatnot.

Do you have a bug report? I'm a gitea user and want to reproduce it.
kenniskrag
·7 年前·議論
What do you recommend as server software for riot? I had some problems with the various bridges which the default server currently provides. Is the default server also provided with synapse?