Show more

#Pinafore v0.1.4 is out:

- hit Ctrl-Enter / Cmd-Enter to post a toot
- new Cobalt dark theme
- bugfixes

Thanks very much @SpankyWorks @codl @chris ! now provides an alternative web interface via Pinafore. If the regular web interface sometimes feels a bit slow for you, or if you simply prefer a single-column client, you can give it a shot here:

For more details on Pinafore, see:

It's time to reset the "days since a major vulnerability in a JWT implementation has been discovered" counter.

Yes, OpenStack Horizon, sending a HTTP request for every object in a directory is surely the best way to implement directory deletion. I don't mind letting Chrome run for a few days.

Let's Encrypt has enabled Certificate Transparency SCT embedding today, so it's now incredibly easy to roll out the Expect-CT security header.

Chrome will soon make Certificate Transparency mandatory for newly-issued certificates, but a malicious or compromised CA can get around this requirement by backdating certificates. Expect-CT allows you close this loophole by enabling enforcement for your domain no matter what.

More on (Expect-)CT:

I discovered white tea and my life just became a lot more expensive :blobdrool:

I don't know about you, but the ElasticSearch integration was THE thing I was waiting for to start doing analytics on user data. Couldn't have done it without it.

Honestly, some people ...

Pretty happy with the upcoming full-text search feature so far. Elasticsearch runs surprisingly well with -Xmx512m on

Good job, @Gargron :blobpats:

I used to complain about Apple Music recommendations being crap, but I found this in my weekly new music playlist today, so kudos to them for improving the personalization aspect, even if it's based on my professional interests rather than music, I guess.

Oh, another closed-source messaging software added support for end-to-end encryption, so it's time for the usual proclamations of how no one should trust it because naturally with open source we read every single line of code before running it, use reproducible builds for everything and all that good stuff


so, uh, DirectAdmin, a fairly popular control panel for shared hosts, is affected by this. Maybe other control panels too


Show thread

"However, Frans noticed that at least two large hosting providers combine two properties that together violate the assumptions behind TLS-SNI:

* Many users are hosted on the same IP address, and
* Users have the ability to upload certificates for arbitrary names without proving domain control."


Show thread

huh, so if tls-sni-02 is likely affected too, it's probably something even sillier.

A major CDN allowing deployment of arbitrary, attacker-controlled certs on arbitrary domains under ".acme.invalid"? That'd effectively let you get a cert for any domain hosted on that CDN, both with tls-sni-01 and -02.

I'm gonna need an extra set of hands for the appropriate facepalm if that's actually it

Show thread

ugh yeah this definitely sounds like someone's actually generating self-signed certs on the fly and putting the SNI value in them, or something equally silly. Maybe a CDN?

Oh, the birdsite discussion on this is awesome. "It's not a vulnerability in Electron, Chrome has a bad browser sandbox."

Show thread

Moral of the story: fuck cryptocurrencies and their ecosystem.

Show thread

Prior to version 3.0.4, the Electron bitcoin wallet/client starts a webserver on localhost with "Access-Control-Allow-Origin: *". That web server effectively exposes an API that can be used to send coins to an address. There is no authentication. Every website users open can use it.

It gets better. The vulnerability was reported publicly on GitHub more than a month ago. The maintainers seemingly didn't realize how much of an issue this was; it took a ping from taviso to get it fixed.

Recently, I've spent a lot of time arguing that an email fallback is a really bad idea in two-factor implementations.

Also, in completely unrelated news, reddit accounts were hijacked through a compromised transactional email provider:

Show more
Mastodon is a microblogging site that federates with most instances on the Fediverse. Note: This instance will shut down on February 29th, 2020.