Mastodon.at now provides an alternative web interface via Pinafore. If the regular web interface sometimes feels a bit slow for you, or if you simply prefer a single-column client, you can give it a shot here: https://light.mastodon.at/
For more details on Pinafore, see: https://nolanlawson.com/2018/04/09/introducing-pinafore-for-mastodon/
It's time to reset the "days since a major vulnerability in a JWT implementation has been discovered" counter.
Let's Encrypt has enabled Certificate Transparency SCT embedding today, so it's now incredibly easy to roll out the Expect-CT security header.
Chrome will soon make Certificate Transparency mandatory for newly-issued certificates, but a malicious or compromised CA can get around this requirement by backdating certificates. Expect-CT allows you close this loophole by enabling enforcement for your domain no matter what.
Pretty happy with the upcoming full-text search feature so far. Elasticsearch runs surprisingly well with -Xmx512m on mastodon.at.
Good job, @Gargron
Oh, another closed-source messaging software added support for end-to-end encryption, so it's time for the usual proclamations of how no one should trust it because naturally with open source we read every single line of code before running it, use reproducible builds for everything and all that good stuff
so, uh, DirectAdmin, a fairly popular control panel for shared hosts, is affected by this. Maybe other control panels too
"However, Frans noticed that at least two large hosting providers combine two properties that together violate the assumptions behind TLS-SNI:
* Many users are hosted on the same IP address, and
* Users have the ability to upload certificates for arbitrary names without proving domain control."
huh, so if tls-sni-02 is likely affected too, it's probably something even sillier.
A major CDN allowing deployment of arbitrary, attacker-controlled certs on arbitrary domains under ".acme.invalid"? That'd effectively let you get a cert for any domain hosted on that CDN, both with tls-sni-01 and -02.
I'm gonna need an extra set of hands for the appropriate facepalm if that's actually it
ugh yeah this definitely sounds like someone's actually generating self-signed certs on the fly and putting the SNI value in them, or something equally silly. Maybe a CDN?
Prior to version 3.0.4, the Electron bitcoin wallet/client starts a webserver on localhost with "Access-Control-Allow-Origin: *". That web server effectively exposes an API that can be used to send coins to an address. There is no authentication. Every website users open can use it.
It gets better. The vulnerability was reported publicly on GitHub more than a month ago. The maintainers seemingly didn't realize how much of an issue this was; it took a ping from taviso to get it fixed.
Recently, I've spent a lot of time arguing that an email fallback is a really bad idea in two-factor implementations.
Also, in completely unrelated news, reddit accounts were hijacked through a compromised transactional email provider: https://www.reddit.com/r/bugs/comments/7obxkb/mailgun_security_incident_an_update_on_the_state/
@Gargron FYI I broke email confirmation in #6071 (opening link doesn't save the new address), except it's working in my feature branch from that PR, so idk what's going on there. I didn't find anything, but maybe you can recall some other change that landed since 2.1 that could've affected this?
mastodon.at admin | Software Development | DevOps | InfoSec | @patfigel on Twitter | keybase.io/pfg | GPG: 286BE9D35F9FE18A | DM for Signal | Vienna, Austria
mastodon.at is a microblogging site that federates with most instances on the Fediverse.