Show more

Mastodon.at now provides an alternative web interface via Pinafore. If the regular web interface sometimes feels a bit slow for you, or if you simply prefer a single-column client, you can give it a shot here: light.mastodon.at/

For more details on Pinafore, see: nolanlawson.com/2018/04/09/int

It's time to reset the "days since a major vulnerability in a JWT implementation has been discovered" counter.

medium.com/@cintainfinita/knoc

Yes, OpenStack Horizon, sending a HTTP request for every object in a directory is surely the best way to implement directory deletion. I don't mind letting Chrome run for a few days.

Let's Encrypt has enabled Certificate Transparency SCT embedding today, so it's now incredibly easy to roll out the Expect-CT security header.

Chrome will soon make Certificate Transparency mandatory for newly-issued certificates, but a malicious or compromised CA can get around this requirement by backdating certificates. Expect-CT allows you close this loophole by enabling enforcement for your domain no matter what.

More on (Expect-)CT:
developer.mozilla.org/en-US/do
certificate-transparency.org/

I discovered white tea and my life just became a lot more expensive :blobdrool:

I don't know about you, but the ElasticSearch integration was THE thing I was waiting for to start doing analytics on user data. Couldn't have done it without it.

Honestly, some people ...

Pretty happy with the upcoming full-text search feature so far. Elasticsearch runs surprisingly well with -Xmx512m on mastodon.at.

Good job, @Gargron :blobpats:

I used to complain about Apple Music recommendations being crap, but I found this in my weekly new music playlist today, so kudos to them for improving the personalization aspect, even if it's based on my professional interests rather than music, I guess.

Oh, another closed-source messaging software added support for end-to-end encryption, so it's time for the usual proclamations of how no one should trust it because naturally with open source we read every single line of code before running it, use reproducible builds for everything and all that good stuff

:blobowoevil:

so, uh, DirectAdmin, a fairly popular control panel for shared hosts, is affected by this. Maybe other control panels too

groups.google.com/d/msg/mozill

:blobsleepless:

community.letsencrypt.org/t/20

"However, Frans noticed that at least two large hosting providers combine two properties that together violate the assumptions behind TLS-SNI:

* Many users are hosted on the same IP address, and
* Users have the ability to upload certificates for arbitrary names without proving domain control."

😢

huh, so if tls-sni-02 is likely affected too, it's probably something even sillier.

A major CDN allowing deployment of arbitrary, attacker-controlled certs on arbitrary domains under ".acme.invalid"? That'd effectively let you get a cert for any domain hosted on that CDN, both with tls-sni-01 and -02.

I'm gonna need an extra set of hands for the appropriate facepalm if that's actually it

ugh yeah this definitely sounds like someone's actually generating self-signed certs on the fly and putting the SNI value in them, or something equally silly. Maybe a CDN?

news.ycombinator.com/item?id=1

Oh, the birdsite discussion on this is awesome. "It's not a vulnerability in Electron, Chrome has a bad browser sandbox."

Moral of the story: fuck cryptocurrencies and their ecosystem.

Prior to version 3.0.4, the Electron bitcoin wallet/client starts a webserver on localhost with "Access-Control-Allow-Origin: *". That web server effectively exposes an API that can be used to send coins to an address. There is no authentication. Every website users open can use it.

It gets better. The vulnerability was reported publicly on GitHub more than a month ago. The maintainers seemingly didn't realize how much of an issue this was; it took a ping from taviso to get it fixed.

Recently, I've spent a lot of time arguing that an email fallback is a really bad idea in two-factor implementations.

Also, in completely unrelated news, reddit accounts were hijacked through a compromised transactional email provider: reddit.com/r/bugs/comments/7ob

@Gargron FYI I broke email confirmation in #6071 (opening link doesn't save the new address), except it's working in my feature branch from that PR, so idk what's going on there. I didn't find anything, but maybe you can recall some other change that landed since 2.1 that could've affected this?

Show more
Mastodon

mastodon.at is open to all users and federates with most instances.

πŸ‡©πŸ‡ͺ πŸ‡¦πŸ‡Ή πŸ‡¨πŸ‡­ mastodon.at ist offen fΓΌr alle User und ist mit vielen anderen Instanzen verbunden.