Lmst

DANE is interesting
Checking out mails servers and saw a test for DANE. Time to learn something new? DANE = DNS-based Authentication of Named Entities. Poorly supported in end clients, but I'm liking the ideas presented for verifying what CA is supposed to be the issuing CA. A cross check. May also be useful for self-signed certs. Gonna have to play. https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities #certificates #dane #ssl #tls

@nf3xn i think almost everybody big inspects traffic with proxies #tls #ssl

Who Does This and Why?

You are correct that it's widespread among "big" entities, primarily for the following reasons:

Corporate Networks: To protect assets.

Security: Detect malware, ransomware, data exfiltration, and advanced threats hidden in encrypted traffic.

Data Loss Prevention (DLP): Stop sensitive information (intellectual property, customer data) from being uploaded or emailed out.

Acceptable Use Policy Enforcement: Block access to illegal or inappropriate websites, even if they use HTTPS.

Bandwidth Management: Monitor and control traffic for performance.

@silverpill #TLS could be an issue if global #NTP/123 is down; some users may be surprised that they cannot access the Internet using 'old' devices that do not have the ability to upgrade their software from outdated repositories.

We were having some issues migrating our mediation[1] service to a new platform and after muchos experimentation...it turns out that some quite modern TVs (5-8 years old ish) ignore the SAN list in TLS certs and only use the common name.

I don't know how they even use a TLS lib to do this.

Wild. TVs are wild.

[1] our mediation layer applies rights restrictions, provides content endpoints etc.

#BBC #TLS #Media

By consulting the proper documents, one may speak a secure and secret tongue. #TLS #LetsEncrypt #OpenSource https://cromwell-intl.com/open-source/google-freebsd-tls/tls-certificate.html?s=mc

PKI-Management: Wenn Zertifikatsverwaltung zum Kostentreiber wird

https://www.all-about-security.de/pki-management-wenn-zertifikatsverwaltung-zum-kostentreiber-wird/

#pki #tls

OpenSSL 3.6.1 is out with fixes for multiple high-severity vulnerabilities affecting TLS, PKCS12, CMS, and certificate handling.
https://linuxiac.com/openssl-3-6-1-released-with-high-severity-security-fixes/

#openssl #tls #security #opensource

Learn the subtle battle language used in the realm of the clouds. #TLS #FreeBSD #GoogleCloud #OpenSource https://cromwell-intl.com/open-source/google-freebsd-tls/https-headers.html?s=mc

The orange site shared this link, telnet.org which has a list of servers to which you can connect over Telnet. (Warning: these are always unencrypted connections).

If you want a Telnet-like experience but over a secure #TLS connection (e.g. using an #SSH client), check out the “Tildeverse,” https://tildeverse.org/ , a list of public-access servers with SSH login. It is like the #Fediverse but using TLS rather than the #ActivityPub protocol. The obvious drawback is that you need to know how to use a command line, but I doubt that would bother most Fediverse dwellers.

@screwlisp I didn’t see https://lambda.moo.mud.org at all in this list of Telnet logins. We may need to do something about that.

#tech #Internet #RetroComputing #Telnet #TildeVerse

Автопродление TLS тоже ломается

Текст в ленте: Много лет индустрия информационной безопасности старается улучшить стандарты шифрования в сети двумя способами: массовое распространение HTTPS как общего стандарта шифрования для всех сайтов — даже для тех, которым защита формально не требуется. Очень много времени было потрачено на то, чтобы убедить пользователей в важности тотального шифрования абсолютно всех коммуникаций; сокращение сроков выдачи сертификатов SSL/TLS, чтобы стимулировать пользователей внедрять автоматические процедуры/скрипты для автопродления сертификатов, чтобы исключить «человеческий фактор» и забывчивость сисадминов, которые забывают менять сертификаты. Но иногда этого недостаточно. К сожалению, автоматические скрипты продления сертификатов тоже могут выйти из строя.

https://habr.com/ru/companies/globalsign/articles/988804/

#tls #сертификат #acme #letsencrypt #шифрование #certbot #acmesh #dns #bazel

🤔 Why only Europe? I’m looking for the same kind of service anywhere other than Let’s Encrypt’s country.

Wildcard or not, for me. :boost:

#selfHosting #tls #acme #sysadmin #askFedi #help #blambers

[Перевод] Туториал по Wireshark для начинающих

Среди множества инструментов для обеспечения сетевой безопасности Wireshark выделяется своей способностью захватывать и отображать пакеты в реальном времени, что особенно полезно для диагностики и анализа сети. Wireshark прост в использовании и является отличным вариантом для новичков, но при этом достаточно мощный для профессионалов, которым нужны детализированные данные о сетевом трафике. В этом руководстве объясняется, как установить Wireshark и использовать его для выявления проблем с подключением, обнаружения подозрительной активности и анализа производительности сети.

https://habr.com/ru/companies/otus/articles/987626/

#Wireshark #Сетевой_анализ #network #анализ_сетевого_трафика #захват_пакетов #сетевые_протоколы #DNS #TLS

Ignoranti certificati

I certificati a chiave pubblica sono la base della sicurezza delle comunicazioni online con protocolli come https o, più in generale, TLS. Benchè a livello di programmazione, gli algoritmi coinvolti e la loro implementazione non siano esattamente lineari, a livello di utilizzo come amministratore di sitema sono relativamente semplici, forse troppo. […]

https://siamogeek.com/2026/01/24/ignoranti-certificati/

Use of post-quantum cryptography in HTTPS has been steadily increasing. All major browsers, many CDNs, and most TLS libraries implement and by default enable it.

But there's more to the internet than just HTTPS. So I checked which mail servers support X25519MLKEM768 when using STARTTLS.

Unsurprisingly, fewer than 1K of MX servers for the Top1M domains support PQC. The only major providers who do are Google, Yahoo (shout-out!), and Seznam.

https://www.netmeister.org/blog/smtp-pqc.html

#pqc #tls #smtp

And as a conclusion to the previous event, #P2P solutions are definitely not useful in extreme conditions, as they require a lot of #energy from power batteries. In contrast, primitive technologies such as classic client-server sockets without #TLS encryption could prevail in a survival scenario.

Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/google-freebsd-tls/?s=mc

RE: https://mastodon.social/@nixCraft/115906354891838530

So... it's here, right? After I waited almost 7 years... And it hopefully wouldn't turn into other "after 9 months pay us 10$/month" scam like ZeroSSL...

And... I will finally have federation in my Matrix server I guess :blobcatjoy:

It was funny to try to set it up. I don't understand how these automation scripts work - all I know was how to do things manually with simple bash scripts and openssl config files.
Last night it finally worked with acme.sh, so maybe it would just keep working itself from now...

#letsencrypt #tls