madargon, to random
@madargon@is-a.cat avatar

and me...
Name more iconic love-hate relationship :blobcat_uwucry:

jbzfn, to debian
@jbzfn@mastodon.social avatar

🌀 16 years of CVE-2008-0166 - Debian OpenSSL Bug
— 16years.secvuln.info

"A patch in Debian's and Ubuntu's OpenSSL packages broke the random number generator, effectively limiting the number of possible keys to a few ten thousand plausible variations"

https://16years.secvuln.info/

jschauma, to debian
@jschauma@mstdn.social avatar

On the topic of "key rotation, it's not just for HTTPS", @hanno finds hundreds of DKIM keys apparently generated using the #Debian #OpenSSL predictable PRNG vulenrability from 2008 (CVE-2008-0166):

https://16years.secvuln.info/

(And yes, #BIMI is still stupid.)

bbolli, to ChatGPT
@bbolli@swiss.social avatar

Haha! No, , this is not how you enable TLS session tickets!

9to5linux, to linux
@9to5linux@floss.social avatar

#Linux Weekly Roundup for April 14th, 2024: #Ubuntu 24.04 LTS enters public beta testing, #EndeavourOS devs need #ARM branch maintainer, explicit sync merged in #Xwayland and KWin, #GParted Live patched against XZ backdoor, #OpenSSL 3.3, Ubuntu Pro for #IoT devices, new #KDE Gear and Frameworks releases, new all #AMD Linux #gaming laptop, updated #ArchLinux installer, and more https://9to5linux.com/9to5linux-weekly-roundup-april-14th-2024

#OpenSource #FOSS

shaft, (edited ) to random French
@shaft@piaille.fr avatar

3.3 is out

https://github.com/openssl/openssl/releases/tag/openssl-3.3.0

Here is the changelog¹

https://www.openssl.org/news/cl33.txt

¹ including mojibake - at least in Firefox because the webserver does not a nice 'charset=UTF-8' in its content-type header

bagder, to random
@bagder@mastodon.social avatar

unfortunately, the new version does not do good enough for to consider removing the experimental label from it:

https://curl.se/mail/distros-2024-04/0001.html

linuxiac, to security
@linuxiac@mastodon.social avatar

OpenSSL 3.3 debuts with advanced QUIC features, improved API functions, new cryptographic options, and more.
https://linuxiac.com/openssl-3-3-0-released/

9to5linux, to opensource
@9to5linux@floss.social avatar
yoyo308, to random
@yoyo308@mastodon.online avatar

Aquí, updateando Zorin mientras tomo el café. Vuestra tarde, ¿Qué tal?

visone,
@visone@fosstodon.org avatar

@yoyo308

Actualizando mi script para passwords para poder usarlo con tut y mantener la cuenta encryptada en la config.
Asi como actualizar las opciones de editar y añadir passwords ......

Vamos una tarde de trasteo

GrapheneOS, to random
@GrapheneOS@grapheneos.social avatar

SSL Labs (https://www.ssllabs.com/ssltest) from Qualys used to be a useful HTTPS testing tool. However, it hasn't received significant updates since 2019 and is now holding back HTTPS security. The biggest issue is that many of the tests don't support TLSv1.3 so it penalizes disabling legacy TLSv1.2.

dboehmer,

@GrapheneOS Good to know. Thanks for the heads up! 👍

Can't we have a version of SSLlabs? Sounds like generally desirable for the whole industry and likely to receive Merge Requests once established. I think many updates would be mere changes of opinions about recommended settings.

jhx, to linux
@jhx@fosstodon.org avatar

Nice little oneliner to display information about a certificate from a website 😎

echo | openssl s_client -showcerts -servername kernel.org -connect kernel.org:443 2>/dev/null | openssl x509 -
inform pem -noout -text

Replace "kernel.org" with what you want to query.

s_bergmann, to blender
@s_bergmann@chaos.social avatar

, alongside leading open source organizations including the SoftwareFoundation, Foundation, Software Foundation, Software Foundation, Foundation, and Foundation, announced today a collaborative initiative aimed at establishing common cybersecurity standards in alignment with the European Union’s Cyber Resilience Act ():

https://thephp.foundation/blog/2024/04/02/open-source-community-cra-compliance-initiative/

metabrainz, to random
@metabrainz@mastodon.social avatar

A small step - we have arranged a small annual koha (donation) to some of our open source upstream projects.

Thank you for everything -a

https://blog.metabrainz.org/2024/03/04/supporting-upstream-open-source-projects/

shaft, to debian
@shaft@piaille.fr avatar
shaft, (edited ) to random French
@shaft@piaille.fr avatar

Idée de conférence gratuite pour : cette année marque les 10 ans de la découverte de la faille Heartbleed dans (découverte proprement dite le 1er avril 2014, colmatage le 7)

Ça pourrait être l'occasion de faire le point sur les conséquences de cette faille :

  • La gestion d'OpenSSL avant et après cette découverte
  • Les forks issus de la découverte (LibreSSL, BoringSSL)

Moi j'ai la flemme de faire les recherches (pis y a pas de DNS dedans donc) 😶

hyc, to random
@hyc@mastodon.social avatar
tekkie, to infosec
@tekkie@mstdn.social avatar

Interesting insight into how switched from OpenSSL to BoringSSL and why they did so. https://www.fastly.com/blog/boringssl-to-make-tls-more-secure

tekkie,
@tekkie@mstdn.social avatar

@kubikpixel probably rooted in the fact that has never been boring. It always fails when you need it so the engineers just felt anything new should be boring 😅

melroy, to random
@melroy@mastodon.melroy.org avatar

@bagder I couldn't find you yet.. 😭. No stand?

melroy,
@melroy@mastodon.melroy.org avatar

@bagder found you. Nice talk 😎 Here is the post quantum example in curl from k.3.401.

conansysadmin, to Cybersecurity
@conansysadmin@mstdn.social avatar
conansysadmin, to Cybersecurity
@conansysadmin@mstdn.social avatar

Build your own secure realm, where the most powerful secret tongues are spoken. #TLS #OpenSSL #cybersecurity #Nginx #OpenSource https://cromwell-intl.com/open-source/nginx-tls-1.3/building-openssl-nginx.html?s=mc

conansysadmin, to Cybersecurity
@conansysadmin@mstdn.social avatar
conansysadmin, to Cybersecurity
@conansysadmin@mstdn.social avatar

Build your own secure realm, where the most powerful secret tongues are spoken. #TLS #OpenSSL #cybersecurity #Nginx #OpenSource https://cromwell-intl.com/open-source/nginx-tls-1.3/building-openssl-nginx.html?s=mc

rolle, to opensource
@rolle@mementomori.social avatar

I’m so tired of the capitalist argument that an open source project cannot be successful because it’s based on nonprofit or donations instead of vc funding and corporates.

Some people seem to actually believe in this narrative that Linux, Mozilla products and the Internet itself are all alive solely because of for-profit industries while forgetting that the actual people, inventors, universities and organisations do exist in this world. Also the contributing factors by companies do not nullify the brilliance of the original project. FFS, it is not all because of the money.

mwfc,
@mwfc@chaos.social avatar

@rolle
I am not sure I would include Linux in it, given that kernel work is really a lot of corporate work.

I consider a better example. A lot of academia goes into it and helps to foster a full ecosystem that is dependend on it. Yes, there are plenty of sponsors like Intel, but in its core it has been driven by academics for a long time.
And there are plenty of other ubiquous libraries. Maybe even products like
sadly is too, being neglected by funding for too long.

heisec, to security German

Sicherheitsupdate: Verwundbare Komponenten gefährden Nessus Network Monitor

Schwachstellen unter anderem in OpenSSL gefährden die Monitoringlösung Nessus Network Monitor.

https://www.heise.de/news/Sicherheitsupdate-Verwundbare-Komponenten-gefaehrden-Nessus-Network-Monitor-9546971.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • ngwrru68w68
  • cubers
  • thenastyranch
  • Youngstown
  • rosin
  • slotface
  • cisconetworking
  • mdbf
  • ethstaker
  • JUstTest
  • Durango
  • khanakhh
  • GTA5RPClips
  • anitta
  • osvaldo12
  • everett
  • normalnudes
  • tester
  • tacticalgear
  • provamag3
  • modclub
  • Leos
  • lostlight
  • All magazines