Once upon a time there was a HTML attribute called Id. She had graduaded from the W3 University, specialized in specifying a unique identifier for an HTML element. For her sister, Class, it was much easier to make friends, as she was able to hang out with multiple elements at the same time. Eventually, Id was almost entirely forgotten, and everyone started to invite only Class to every web site party.

One day the testers were thinking it would be nice if there was someone who could give unique identifiers to HTML elements. They hired Mr. Data-Testid from Nonstandardistan for the job despite he was not formally qualified. Unemployed and sad, Id lived unhappily ever after.

(The moral of the story: there is no need to reinvent the wheel.)

#webdevelopment

Track changes in the CVE database (CVEProject / cvelistV5) `tail -f` style, also printing changes in the CVSS 3.1 scores. Written using only the Python Standard Library, the only external requirement being the Git binary.

#cve #cvelist #vulnerabilities #cvss #opensource

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/follow-cvelist.py

CVE-Search v5.1.0 fixes bugs, improves interoperability with the CveXplore library and makes it easier to retry incomplete updates from the NVD API. Read the changelog carefully.

https://github.com/cve-search/cve-search/releases/tag/v5.1.0

Let's Encrypt has made implementing DANE even more difficult. The root CA is no longer included in the chain, and the intermediates may change without notice. To address these issues, I wrote a script that automates TLSA record creation from the published intermediates.

#letsencrypt #dane #tlsa #certificatepinning

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/letsencrypt-tlsa.sh

The fact that OpenSSH's sshd_config keyword ClientAliveInterval is for detecting unresponsive connections does not change no matter how many times it is repeated that it would monitor the session activity.

Debunking this misinformation in
https://serverfault.com/a/1162840/274176

@gunstick @adulau Conference spam is easy enough to handle with user+conference suffix, but then someone *called* me to ask about my experience of their booth at the expo. I was brutally honest by answering that I don't recall their company at all, because I was there just for the 🍺 and the swag.

After some work on bug fixes & improvements for CVE-Search & CveXplore both finally have new releases. 🎉

https://github.com/cve-search/cve-search/releases/tag/v5.0.2

@varbin I see. Implementing punycode support in OpenSSH might be way out-of-scope already. Keeping backwards compatibility is hard when implementing new security controls: even disabling uncommon characters by default and enabling them by configuration could break something somewhere. Maybe it is still best to avoid using these variables altogether on hardened configurations.

@varbin Good point. That justifies the blacklist based solution for the username, but hostnames are still strictly defined and could use a whitelist of characters. That would be a more secure approach for anyone having `%h` but not `%u` in their `ProxyCommand`.

I am also wondering could Windows have similar special characters that would require sanitizing on the Windows version of the OpenSSH client.

@varbin The additional characters from that use case are limited and could be whitelisted, too. Also, "this strictness is applied only to names coming from the commandline", so it does not affect usernames or hostnames specified in the configuration. (It could be wider with an explicit configuration parameter that disables the limitation.)

Valid characters in hostnames are `a-z`, `A-Z`, `-` and `.`. POSIX usernames can contain these and `_`. Windows is very liberal allowing also `' ! # ^ ~` – of which only `'` is problematic.

Yet, OpenSSH fixes CVE-2023-51385 by blacklisting shell metacharacters rather than whitelisting the possible characters. These functions are even named `valid_hostname()` & `valid_ruser()`, that are not semantically correct. This coding style attracts new vulnerabilities!

https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a

How much easier it would be to fight these scams if the hotel industry including Booking.com stopped treating credit card information just like the scammers do. It is getting harder and harder to book accommodation because hotels seldom support protection technologies (Verified by Visa, MasterCard SecureCode or Amex SafeKey) but would like to charge the credit card the old-fashioned way. The rush on the final stage also resembles awful lot like the normal operation of legitimate booking sites.

https://www.kaspersky.com/blog/booking-com-hacked-hotel-accounts-scam-customers/50109/

@harrysintonen @autiomaa Jos salausta tarkoituksella heikennetään esimerkiksi Forward Secrecyn tai TLS 1.3:n estämisellä, aletaan olla tilanteessa, jossa pelkkä Facebookista poistuminen ei enää riitä, vaan täytyy irtautua koko Internetistä.

@haveibeenpwned So, according to https://www.troyhunt.com/pwned-or-bot/, 83 % of these people were likely bots. 🤖

🇫🇮​ As of today, it is mandatory to validate the caller IDs of all Finnish (+358) phone numbers between Finnish operators, as Traficom's regulation 28 J/2022 became fully effective. This pretty much ends the called ID spoofing here. 🙌​

Many people still read their email in plain text, but even larger operators sometimes forget to proofread the unformatted versions of their newsletters. A funny residue of a placeholder text was found at the beginning of an announcement from @valimail 📬​

@SwiftOnSecurity This reminds me of an ancient situation where Google had indexed some copier web UI as it did not have a robots.txt. The model had a handy feature for printing a test page with an option to do so [x] continuously. This probably meant "until out of paper" – that was hard to tell from the other side of the Internet.

@windytan Yes, the extension that brought GIF animations. Is this an animated GIF or is it there always by default?

Test tools for encryption solutions usually focus on the strength of the ciphers used. I did not find a tool for checking if SSH host keys were shared among servers.

Sharing host keys creates a security risk because the keys can be used to impersonate any of these servers, which completely compromises SSH encryption in man-in-the-middle attacks. This could happen, e.g., when virtual machines are created from a template (or a disk image) without generating new keys to replace all the host keys present; currently ECDSA (NIST curves), EdDSA (Ed25519) and RSA. Furthermore, any compromised server leaking a private key becomes the weakest link that endangers all the other servers.

This Bash script is my first aid for finding shared SSH host keys on your networks.

https://github.com/oh2fih/Misc-Scripts/blob/main/bin/duplicate-ssh-hostkeys.sh

I noticed a slight overreaction over a vulnerability, CVE-2023-38408. They suggested building the latest OpenSSH server [sic] from sources over the one packaged in your distribution, although the vulnerability in the ssh-agent affects the OpenSSH client & only if agent forwarding (`-A` / `ForwardAgent`) is enabled.

Vulnerabilities in security critical utilities easily get high CVSS score as they could have severe implications for confidentiality, integrity and availability. However, this one is rather easy to mitigate by correct configuration, and does not affect typical nor default configurations.