Some time ago, #Conversations_im started preferring direct TLS on port 5223 for servers without SRV records, falling back to 5222 if necessary.
Here’s what server administrators should do:
· Ensure direct TLS is configured and accessible.
· If using SRV records, prioritize _xmpps-client._tcp by assigning it a lower priority value.
New blog post: Post-OCSP certificate revocation in the Web PKI.
With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.
I think this is the most comprehensive current look at certificate revocation right now.
#security #WebPKI #LetsEncrypt #TLS #OCSP
#TLS #EncryptedClientHello #ECH support has been merged in #curl!
github.com/curl/curl/pull/1192…
This is an (as-promised, on the mailing list) early pull request for adding HTTPS RR an ECH support to cURL, that has had so far minimal testing when using OpenSSL or wolfSSL as the TLS provider, b...GitHub
Open Letter regarding the #eIDAS Regulation:
We strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communication; without establishing proper safeguards as outlined above, it instead substantially increases the potential for harm.
See the full Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform here: blog.fiff.de/eidas-open-letter… #TLS
We strongly warn against the currently proposed trilogue agreement.Rainer Rehak (FIfF e.V.)
The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web.jochensp (https://guardianproject.info)
Mitigating the Hetzner/Linode XMPP.ru MitM interception incident, part 2: XMPP-specific mitigations
Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!
#opensource #TLS #PKI #infosec
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).letsencrypt.org
I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see blog.qualys.com/product-tech/2… and e.g. ssllabs.com/ssltest/analyze.ht…). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.
🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?
So:
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade. Update 1/16/2020: The grade change is now live on the development…Qualys Security Blog
I’m not going to use bloody bugzilla, so if anyone from Mozilla sees this, your enterprise flow for adding certificate authorities (CAs) to Firefox on Linux fails on Fedora Silverblue.
Since Fedora Silverblue is seen as the possible future of Fedora/Red Hat, you folks might want to talk to the Fedora folks about it and come up with a solution.
github.com/fedora-silverblue/i…
#mozilla #firefox #fedora #fedoraSilverblue #bug #tls #ssl #redHat #linux #enterprise #certificates
In Firefox version 64+, you can add your custom certificate authorities to Firefox using an enterprise policy file and by copying your certificates to /usr/lib/mozilla/certificates or /usr64/lib/mo...GitHub
Now that we made it all through the holidays, we're happy to do some releases again!
First up is our #RPKI relying party software Routinator. 🚀 Version 0.12.1 fixes a small number of bugs. Most importantly, the #TLS-enabled servers for both HTTP and RTR now also accept private keys formatted as PKCS#1 RSA keys rather than only accepting PKCS#8 keys. #RoutingSecurity #rustlang
github.com/NLnetLabs/routinato…
Bug Fixes Actually use the extra-tals-dir config file option. (#821) Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA PRIVATE KEY in the files referred to by http-tls-key and ...GitHub
Folks, if you’re using @small-tech/auto-encrypt in your projects, please make sure you’re running the latest version of the package (3.1.0) or certificate provisioning/renewal will fail due to the latest Let’s Encrypt protocol update.
codeberg.org/small-tech/auto-e…
#tls #https #letsEncrypt #autoEncrypt #js #javaScript #nodeJS #web #dev #smallWeb #smallTech
Automatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.Codeberg.org
