That's this code: https://github.com/mailpile/Mailpile/blob/master/mailpile/conn_brokers.py

The connection broker uses with-block to selectively monkey patch the socket library, so third party code would make outgoing #TLS and/or #Tor connections according to a configurable security policy.

Pretty cool! I have yet to port this to #moggie, but I will for sure.

The security researcher just grepped and skimmed, they missed the fact that not only did I solve the problem, I knocked that one out of the park.

I politely told them so. ;-) (3/3)

@heisec wie wäre es mit einer Einordnung? Oder auch mit der Erwähnung, das bereits endsprechende Tools seit langer Zeit aus dem opensource Bereich gibt?

Stimmt, das klickt ja nicht... und jemanden fragen der sich damit auskennt, zum Beispiel aus dem QS-bereich ist wahrscheinlich auch zu viel.

#securiy #TLS #Verschlüsselung #Test

Wired for #Hybrid - #DeepDive 2 - Azure #FrontDoor

Azure Front Door is a modern cloud Content Delivery Network that provides fast, reliable, and secure access between your users and your applications' static and dynamic web content across the globe. We all should care ab [...]
https://bit.ly/42o4DHm #application #Front #Door #content #TLS
Source: Microsoft Tech Community ITOps Talk Blog

Uhhh, given I have access to a server's private #TLS key, shouldn't I be able to decrypt any pcap traffic I captured with #Wireshark?

However, https://wiki.wireshark.org/TLS#tls-decryption seems to tell me that this only works with TLSv1.2 and RSA? And for everything else I need to do something on the client? This ... doesn't sound right.

I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see https://blog.qualys.com/product-tech/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols and e.g. https://www.ssllabs.com/ssltest/analyze.html?d=apt.izzysoft.de). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.

🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?

So:

Code-Review für mein #BIND9 Authenticator Tool um #ACME #DNS-Challenges mit einer Grant-Policy per Zone abhandeln kann (statt CNAME-Magic, Full-Domain-Grant, oder per-DNSRR-Konfig) hat einen ersten Code Review (thx @ #C3Review) überstanden. Primär Kleinigkeiten; Patches folgen nachher.

Tool gibt's unter: https://gitlab.com/BenBE/bind9-acme-auth/

Status: Aktuell fehlt noch etwas Feinschliff, aber als stabile Beta durchaus nutzbar. Feedback erwünscht.

#LetsEncrypt #ACME #BIND9 #DynDNS #nsupdate #Review #SSL #TLS

Compare expiration dates of a website’s TLS certificate and a local certificate file using a simple shell script: http://tlsCExp.sh https://gist.github.com/jzdm/8532dc1e8b4372b84093014cd053680d
#TLS #LetsEncrypt #tlsCExp

@aral @cjd Alternatives to #TLS end/

If you're thinking of #SmallWeb and #SmallTech and a #decentralized #Internet, think about security more broadly than TLS. TLS is useful, but the security story is more broad than that. I could go on: #Tor hidden services, #ssh, #freenet, etc., are all things that secure without TLS. Many of the things I've mentioned secure BETTER than TLS, at least on some respects.

#web0 should be broad, about all this!

@aral @cjd Alternatives to #TLS 5/

Projects such as #FreedomBox aim to put many of the technologies I've mentioned here, and then some (eg, #BitTorrent) in the hands of people via very low cost hardware and Open Source software on it.

@aral @cjd Alternatives to #TLS 4/

TLS only protects data in motion. It does not protect against, eg, hacked webserver. Things such as #OpenPGP (#gpg or #sequoia) signatures still have a place and prove more about authenticity than TLS does. With signed content, in fact, TLS is much less useful (maybe preventing an attacker from showing you outdated content) which is why many Debian mirrors -- whose content is fully authenticated by apt -- have historically been non-https.

@aral @cjd Alternatives to #TLS 3/

Multiple app-level projects exist to build a distributed Internet (or web), and most of them have E2E encryption built in. Examples: #IPFS and #DAT/#Hyperdrive as distributed filesystems/websites, #libp2p for general communication, #Scuttlebutt (gossip) for social, #Syncthing for data sync, #NNCP for asynchrnous transfer, #Meshtastic #jami and #briar for E2E IM, etc.

@aral @cjd Alternatives to #TLS 2/

Moving up a layer, TLS can be used without public CA infrastucture (eg, #Syncthing) by exchanging key validation information in other means. Also, the #Noise protocol is a viable TLS alternative in many cases.

@aral Alternatives to #TLS [thread]

1/
There are lots of alternatives to TLS out there. At the protocol layer, things such as #Yggdrasil and #ipsec can make things secure. #Yggdrasil, like @cjd 's #Hyperboria (#cjdns) before it, is an overlay network where every target IP is essentially a public key. #DNSSEC also helps here.

@zeh 2/ As I reflect on this, I'm going to make a bold and possibly wrong assertion: #Signal is the first and only system the world has seen that makes strong cryptography easy to adopt correctly for everyone.

I was using #PGP in the 90s, still use #GPG, and of course there's #TLS, but none of these are easy to get right.

Signal isn't perfect but it's better than the alternatives people are used to, and that right there is huge.

Check If Your Domain Is Affected By Letsencrypt CAA Rechecking Bug #Letsencrypt #CA #TLS #SSL #CertificateAuthority #cat
https://www.ostechnix.com/check-if-your-domain-is-affected-by-letsencrypt-caa-rechecking-bug/