hanno

hanno, 1 day ago to random

I told you I wasn't done with BIMI yet. Part of the BIMI spec is that the SVG logos have to be compliant with a Relax NG schema that defines a secure subset of SVG. This does not look like a bad idea. You can easily validate SVGs against this profile with existing XML tools. Yet... if you don't do it, it doesn't help. I noticed that many BIMI certificates contained non-compliant SVGs https://mailarchive.ietf.org/arch/msg/bimi/xzYRH72V2HE9xeUfXK_zUgYSI7k/

hanno, 5 days ago to random

Bekomme die selbe Presemittielung 2x, nur der Einstiegssatz ist anders. "Von Potsdam über Berlin bis nach Cottbus" vs. "Von Nürnberg über Aachen bis nach Berlin". Bin ich wohl sowohl im Westdeutschland- als auch im Ostdeutschland-Presseverteiler...

hanno, 9 days ago to random

I'll be giving a talk at the miniDebConf Berlin about the Debian-OpenSSL-Bug-in-DKIM disclosure, and there is a livestream, in around 1,5 hours. https://berlin2024.mini.debconf.org/

hanno, 12 days ago to random

I'm still not sure if BIMI is just an elaborate joke or a subtle form of parody. I mean... the official recommendation to create BIMI logos in the right format (a subset of SVG) is to save them in another format via adobe illustrator, and then manually edit the XML in a text editor. No, I'm not kidding... https://support.google.com/a/answer/10911027

hanno, 12 days ago to random

Due to a new regulation, green electricity providers in the EU+EEA have to provide their customers information about the countries of origin of their electricity (or the certificates, which... isn't really the same, but I disgress...). If you got something like that lately, can you scan it or make a photo and send it to me? https://hboeck.de/en/contact.html I'd be particularly interested to see those from the "real" green electricity providers.

hanno, 14 days ago to random

There's a conference on guarantees of origin (green electricity certificates) in Iceland. Shall I... ? https://landsvirkjun.com/go-conference

hanno, 14 days ago to random

In case the anonymous person who reported a bug in badkeys via my webpage contact form without leaving any contact info reads this: thanks, it's fixed now. https://github.com/badkeys/badkeys/commit/e5d094a8583418c4c07f365400198c1b81aa5131

hanno, 15 days ago to random

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

hanno, 21 days ago to random

For reasons that I cannot disclose right now, but will soon, I recently looked into BIMI. And... I have some concerns. BIMI is a spec built on top of DKIM and DMARC, and allows companies to show a logo beside their emails in supporting frontends (like gmail). It requires purchasing a very expensive certificate, I think the justification for it is dubious, and I am not a fan. But even if we put that aside, it's also very strange on a technical level. 🧵

hanno, 25 days ago to random

I gave a talk at this year's Nullcon about a vulnerability I found in HSTS as implemented in Firefox, and also a general overview of HTTP/HTTPS mixing problems. It wasn't recorded at the conf, so I've now re-recorded the talk. You can find it here: https://www.youtube.com/watch?v=JjMb7Z8ak2k

hanno, 28 days ago to random

Does Python really have no DNS functionality built in at all beyond resolving IPs? I have a use case where I need to get a TXT record, and everything I can find recommends dnspython. If possible, I'd like to avoid adding a dependency.

hanno, 28 days ago to random

Do I know someone or can anyone recommend someone who is a nerd in the EU emission trading system (ETS)?

For two unrelated stories, I have some extremely specific questions.
I'm looking for the kind of person that will not say "oh, I don't know that, sorry", but rather "I don't know that, but I know how to find out, and I will", or "I don't know that, but I know who does".

hanno, 29 days ago to random

Is GNU software really free software? I may legally have the freedom to study it, but it is wrapped in so much GNU buildsystem obscurity that studying it is impossible without a PhD in GNU buildsystem crap. So I don't really have the freedom to study it.

hanno, 1 month ago to random German

Was mich ja an diesem erneuten aufwärmen der Atomdebatte so ärgert ist wie irrelevant das ganze ist. Ich meine reden wir doch mal klartext: Die Atompolitik in Deutschland wird sich nicht mehr ändern, und zwar völlig unabhängig davon wer regiert. Es wird ja niemand ernsthaft erwarten dass man die jetzt im Rückbau befindlichen Kraftwerke nochmal anschaltet. 🧵

hanno, 1 month ago to random

I have seen my fair share of strange reactions and rejections by bugbounty plattforms, but this is new: Rejected, because the report mentions a CVE. No, I have no idea what they are thinking. (I can only guess that they get lots of low quality reports from automated tools mentioning CVEs. But the idea that a security report that mentions a CVE is invalid is... whatever...)