I told you I wasn't done with BIMI yet. Part of the BIMI spec is that the SVG logos have to be compliant with a Relax NG schema that defines a secure subset of SVG. This does not look like a bad idea. You can easily validate SVGs against this profile with existing XML tools. Yet... if you don't do it, it doesn't help. I noticed that many BIMI certificates contained non-compliant SVGs https://mailarchive.ietf.org/arch/msg/bimi/xzYRH72V2HE9xeUfXK_zUgYSI7k/
I also noted that Gmail would still display those noncompliant Logos. I reported this to Gmail, and the reaction was basically "we don't care". I am honestly most surprised by Google's role in the whole BIMI saga, and not just due to this incident. There are many reasons to dislike Google, but their security people are usually doing very good work. I am surprised that Google is part of the BIMIgroup even though BIMI so clearly is not made with security in mind.
Bekomme die selbe Presemittielung 2x, nur der Einstiegssatz ist anders. "Von Potsdam über Berlin bis nach Cottbus" vs. "Von Nürnberg über Aachen bis nach Berlin". Bin ich wohl sowohl im Westdeutschland- als auch im Ostdeutschland-Presseverteiler...
I'll be giving a talk at the miniDebConf Berlin about the Debian-OpenSSL-Bug-in-DKIM disclosure, and there is a livestream, in around 1,5 hours. https://berlin2024.mini.debconf.org/
I'm still not sure if BIMI is just an elaborate joke or a subtle form of parody. I mean... the official recommendation to create BIMI logos in the right format (a subset of SVG) is to save them in another format via adobe illustrator, and then manually edit the XML in a text editor. No, I'm not kidding... https://support.google.com/a/answer/10911027
Due to a new regulation, green electricity providers in the EU+EEA have to provide their customers information about the countries of origin of their electricity (or the certificates, which... isn't really the same, but I disgress...). If you got something like that lately, can you scan it or make a photo and send it to me? https://hboeck.de/en/contact.html I'd be particularly interested to see those from the "real" green electricity providers.
Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/
For reasons that I cannot disclose right now, but will soon, I recently looked into BIMI. And... I have some concerns. BIMI is a spec built on top of DKIM and DMARC, and allows companies to show a logo beside their emails in supporting frontends (like gmail). It requires purchasing a very expensive certificate, I think the justification for it is dubious, and I am not a fan. But even if we put that aside, it's also very strange on a technical level. 🧵
The concept involves servers checking a DNS record with references to a logo and a certificate. The server then should set some headers that the MUA uses to show the logo. However... there's an inherent flaw in this: The MUA cannot know whether these headers come from the server or the sender. I raised this issue on the BIMI mailing list: https://mailarchive.ietf.org/arch/msg/bimi/PS8Xf1hQ41oCAwtsUvVsbRSs34Q/
I gave a talk at this year's Nullcon about a vulnerability I found in HSTS as implemented in Firefox, and also a general overview of HTTP/HTTPS mixing problems. It wasn't recorded at the conf, so I've now re-recorded the talk. You can find it here: https://www.youtube.com/watch?v=JjMb7Z8ak2k
Does Python really have no DNS functionality built in at all beyond resolving IPs? I have a use case where I need to get a TXT record, and everything I can find recommends dnspython. If possible, I'd like to avoid adding a dependency.
@hanno name to IP resolution is provided by the OS, but other DNS lookups are less abstracted tasks so it’s common for them not to be provided by stdlibs, for better or worse
Do I know someone or can anyone recommend someone who is a nerd in the EU emission trading system (ETS)?
For two unrelated stories, I have some extremely specific questions.
I'm looking for the kind of person that will not say "oh, I don't know that, sorry", but rather "I don't know that, but I know how to find out, and I will", or "I don't know that, but I know who does".
Is GNU software really free software? I may legally have the freedom to study it, but it is wrapped in so much GNU buildsystem obscurity that studying it is impossible without a PhD in GNU buildsystem crap. So I don't really have the freedom to study it.
Was mich ja an diesem erneuten aufwärmen der Atomdebatte so ärgert ist wie irrelevant das ganze ist. Ich meine reden wir doch mal klartext: Die Atompolitik in Deutschland wird sich nicht mehr ändern, und zwar völlig unabhängig davon wer regiert. Es wird ja niemand ernsthaft erwarten dass man die jetzt im Rückbau befindlichen Kraftwerke nochmal anschaltet. 🧵
Und neue Kraftwerke? Also mir fehlt schon die Vorstellungskraft dass sich das irgendwo in Deutschland durchsetzen ließe. Aber selbst wenn. Und selbst wenn wir sagen wir mal eine schwarz-gelbe Regierung hätten in der die größten Atomfreunde aus CDU+FDP die entsprechenden Posten besetzen. Und irgendwie finden sie noch einen Landkreis in dem das Zustimmung findet. Dann müsste da ja immer noch jemand das Geld auf den Tisch legen.
I have seen my fair share of strange reactions and rejections by bugbounty plattforms, but this is new: Rejected, because the report mentions a CVE. No, I have no idea what they are thinking. (I can only guess that they get lots of low quality reports from automated tools mentioning CVEs. But the idea that a security report that mentions a CVE is invalid is... whatever...)
@hanno agreed. As someone who receives quite a few such reports, I can say that reporters often and quite legitimately refer to other and previous CVEs in their reports when backing up statements and comparing with previous problems etc...