Felix Palmen :freebsd: :c64:<p>Just released: <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a> v0.2</p><p>SWAD is the "Simple Web Authentication Daemon", meant to add <a href="https://mastodon.bsd.cafe/tags/cookie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cookie</span></a> <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> with a simple <a href="https://mastodon.bsd.cafe/tags/login" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>login</span></a> form and configurable credential checker modules to a reverse <a href="https://mastodon.bsd.cafe/tags/proxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>proxy</span></a> supporting to delegate authentication to a backend service, like e.g. <a href="https://mastodon.bsd.cafe/tags/nginx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nginx</span></a>' "auth_request". It's a very small piece of software written in pure <a href="https://mastodon.bsd.cafe/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>C</span></a> with as little external dependencies as possible. It requires some <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> (or "almost POSIX", like <a href="https://mastodon.bsd.cafe/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a>, <a href="https://mastodon.bsd.cafe/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeBSD</span></a>, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.</p><p>Currently, the only credential checker module available offers <a href="https://mastodon.bsd.cafe/tags/PAM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PAM</span></a> authentication, more modules will come in later releases.</p><p>swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:</p><p><a href="https://github.com/Zirias/swad/releases/tag/v0.2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Zirias/swad/release</span><span class="invisible">s/tag/v0.2</span></a></p>
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.
Administered by:
Server stats:
574active users
101010.pl: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-alpha.4
#authentication
2 posts · 2 participants · 0 posts today
Felix Palmen :freebsd: :c64:<p>Released: <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a> v0.1 🥳 </p><p>Looking for a simple way to add <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> to your <a href="https://mastodon.bsd.cafe/tags/nginx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nginx</span></a> reverse proxy? Then swad *could* be for you!</p><p>swad is the "Simple Web Authentication Daemon", written in pure <a href="https://mastodon.bsd.cafe/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>C</span></a> (+ <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a>) with almost no external dependencies. <a href="https://mastodon.bsd.cafe/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a> support requires <a href="https://mastodon.bsd.cafe/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> (or <a href="https://mastodon.bsd.cafe/tags/LibreSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LibreSSL</span></a>). It's designed to work with nginx' "auth_request" module and offers authentication using a <a href="https://mastodon.bsd.cafe/tags/cookie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cookie</span></a> and a login form.</p><p>Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: <a href="https://mastodon.bsd.cafe/tags/PAM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PAM</span></a>. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈</p><p>If you want to know more, read here:<br><a href="https://github.com/Zirias/swad" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Zirias/swad</span><span class="invisible"></span></a></p>
Anthony Kraudelt<p>My son is 12-year old son is creating an online game and asked "why do users have to login to be on the game's leaderboard." This prompted a discussion about how authentication and authorization are often confused and how they play distinct yet complementary roles in protecting each players games scores for his website. I explained the two as follows:</p><p>Authentication (AuthN) asks the question "Are you who you say you are?" It verifies an identity using credentials like passwords, biometrics, or MFA.</p><p>Authorization (AuthZ) asks "What are you allowed to do?" It determines what actions, or resources, you have access to after authentication.</p><p>You authenticate first (prove your identity), then get authorized (granted permissions). Without both, security is incomplete. The two concepts work in concert to prevent unauthorized system access or data tampering. </p><p>I know that probably wasn't the coolest conversation between a father and son, but his gaming site now has a user login page. :)</p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authorization</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/ZeroTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ZeroTrust</span></a></p>
Boiling Steam<p>Matrix.org Will Migrate to MAS: <a href="https://matrix.org/blog/2025/04/matrix-auth-service/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">matrix.org/blog/2025/04/matrix</span><span class="invisible">-auth-service/</span></a> <br><a href="https://mastodon.cloud/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://mastodon.cloud/tags/update" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>update</span></a> <a href="https://mastodon.cloud/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foss</span></a> <a href="https://mastodon.cloud/tags/matrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>matrix</span></a> <a href="https://mastodon.cloud/tags/mas" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mas</span></a> <a href="https://mastodon.cloud/tags/migration" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>migration</span></a> <a href="https://mastodon.cloud/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a></p>
Bytes Europe<p>BIO-key Partners with Arrow ECS Iberia to Strengthen Access <a href="https://www.byteseu.com/880541/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">byteseu.com/880541/</span><span class="invisible"></span></a> <a href="https://pubeurope.com/tags/AccessManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AccessManagement</span></a> <a href="https://pubeurope.com/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://pubeurope.com/tags/BIOKeyInternational" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BIOKeyInternational</span></a> <a href="https://pubeurope.com/tags/biometrics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>biometrics</span></a> <a href="https://pubeurope.com/tags/CloudComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudComputing</span></a> <a href="https://pubeurope.com/tags/GDPR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GDPR</span></a> <a href="https://pubeurope.com/tags/Iberia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Iberia</span></a> <a href="https://pubeurope.com/tags/Inc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Inc</span></a>. <a href="https://pubeurope.com/tags/Multifactor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Multifactor</span></a> <a href="https://pubeurope.com/tags/Nasdaq" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nasdaq</span></a>:BKYI <a href="https://pubeurope.com/tags/NIS2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NIS2</span></a> <a href="https://pubeurope.com/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwordless</span></a> <a href="https://pubeurope.com/tags/Portugal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Portugal</span></a> <a href="https://pubeurope.com/tags/SingleSignOn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SingleSignOn</span></a> <a href="https://pubeurope.com/tags/Spain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spain</span></a></p>
Felix Palmen :freebsd: :c64:<p>Trying to come up with my own little self-hosted <a href="https://mastodon.bsd.cafe/tags/http" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>http</span></a> <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.bsd.cafe/tags/daemon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>daemon</span></a> to work with <a href="https://mastodon.bsd.cafe/tags/nginx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nginx</span></a>' "authentication request" facility ... first step done! 🥳</p><p>Now I have a subset of HTTP 1.x implemented in <a href="https://mastodon.bsd.cafe/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>C</span></a>, together with a dummy handler showing nothing but a static hello-world root document.</p><p>I know it's kind of stubborn doing that in C, but hey, <a href="https://mastodon.bsd.cafe/tags/coding" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>coding</span></a> it is great fun 🙈 </p><p><a href="https://github.com/Zirias/swad" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Zirias/swad</span><span class="invisible"></span></a></p>
Bytes Europe<p>Trustly to Pilot Biometric Solution in Finland Before Rollout <a href="https://www.byteseu.com/865971/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">byteseu.com/865971/</span><span class="invisible"></span></a> <a href="https://pubeurope.com/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://pubeurope.com/tags/BiometricAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BiometricAuthentication</span></a> <a href="https://pubeurope.com/tags/biometrics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>biometrics</span></a> <a href="https://pubeurope.com/tags/DigitalTransformation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DigitalTransformation</span></a> <a href="https://pubeurope.com/tags/EMEA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EMEA</span></a> <a href="https://pubeurope.com/tags/Finland" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Finland</span></a> <a href="https://pubeurope.com/tags/gaming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gaming</span></a> <a href="https://pubeurope.com/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityVerification</span></a> <a href="https://pubeurope.com/tags/News" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>News</span></a> <a href="https://pubeurope.com/tags/PayByBank" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PayByBank</span></a> <a href="https://pubeurope.com/tags/PYMNTSNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PYMNTSNews</span></a> <a href="https://pubeurope.com/tags/Technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Technology</span></a> <a href="https://pubeurope.com/tags/Trustly" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Trustly</span></a> <a href="https://pubeurope.com/tags/TrustlyID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TrustlyID</span></a> <a href="https://pubeurope.com/tags/What" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>What</span></a>'sHot</p>
Karl Voit :emacs: :orgmode:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@yacc143" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>yacc143</span></a></span> FYI: <a href="https://graz.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> and <a href="https://graz.social/tags/FIDO2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO2</span></a> (= "device-bound <a href="https://graz.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a>" which can be divided into "platform-" and "roaming-authenticators") are identical except the <a href="https://graz.social/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloud</span></a>-sync mechanism (as of my current understanding).</p><p>So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.</p><p>In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).</p><p>Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT <a href="https://graz.social/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a>-resistant in the general case.</p><p><a href="https://graz.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://graz.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://graz.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aral</span></a></span> :</p><p>I don't want to pay a cent. Neither donate, nor via taxes.</p><p><a href="https://infosec.exchange/@ErikvanStraten/114227977082449887" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114227977082449887</span></a></p><p><span class="h-card" translate="no"><a href="https://mstdn.social/@TheDutchChief" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>TheDutchChief</span></a></span> <span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aral</span></a></span> : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.</p><p>They're the ultimate manifestation of evil big tech.</p><p>They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.</p><p>DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).</p><p>Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).</p><p>However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.</p><p>Decent online authentication is HARD. Get used to it instead of denying it.</p><p>REASONS/EXAMPLES</p><p>🔹 Troy Hunt fell in the DV trap: <a href="https://infosec.exchange/@ErikvanStraten/114222237036021070" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114222237036021070</span></a></p><p>🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: <a href="https://infosec.exchange/@ErikvanStraten/114224682101772569" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224682101772569</span></a></p><p>🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: <a href="https://infosec.exchange/@ErikvanStraten/114224264440704546" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224264440704546</span></a></p><p>🔹 Stop phishing proposal: <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a></p><p>🔹 Lots of reasons why LE sucks:<br><a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> (corrected link 09:20 UTC)</p><p>🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): <a href="https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">newly-registered-domains.abtdo</span><span class="invisible">main.com/2024-08-15-bond-newly-registered-domains-part-1/</span></a>. However, this gang is still active, open the RELATIONS tab in <a href="https://www.virustotal.com/gui/ip-address/13.248.197.209/relations" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">13.248.197.209/relations</span></a>. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: <a href="https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/</span></a></p><p><span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>troyhunt</span></a></span> : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.</p><p>We also need better (readable) certificates identifying the responsible / accountable party for a website.</p><p>We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.</p><p>Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.</p><p>More info in <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a> (see also <a href="https://crt.sh/?Identity=mailchimp-sso.com" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crt.sh/?Identity=mailchimp-sso</span><span class="invisible">.com</span></a>).</p><p>Note: most people do not understand certificates, like <span class="h-card" translate="no"><a href="https://mastodon.social/@BjornW" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BjornW</span></a></span> in <a href="https://mastodon.social/@BjornW/114064065891034415" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@BjornW/114064</span><span class="invisible">065891034415</span></a>:<br>❝<br><span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> offers certificates to encrypt the traffic between a website & your browser.<br>❞<br>2x wrong.</p><p>A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.</p><p>However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.</p><p>Will you please help me get this topic seriously on the public agenda?</p><p>Edited 09:15 UTC to add: tap "Alt" in the images for details.</p><p><a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a></p>
Alexander Schwartz<p>Arrived at <a href="https://fosstodon.org/tags/VoxxedDays" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VoxxedDays</span></a> Zurich <a href="https://fosstodon.org/tags/vdz25" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vdz25</span></a> to talk about <a href="https://fosstodon.org/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a>, <a href="https://fosstodon.org/tags/oidc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oidc</span></a> and <a href="https://fosstodon.org/tags/keycloak" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>keycloak</span></a>. Looking forward to see you at my talk at 15:55 in room 7!</p>
Grumpy Website<p>We noticed you were working. How about you do a meaningless chore for us instead?</p><p><a href="https://mastodon.online/tags/Slack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Slack</span></a> <a href="https://mastodon.online/tags/Login" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Login</span></a> <a href="https://mastodon.online/tags/Logout" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Logout</span></a> <a href="https://mastodon.online/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.online/tags/Popup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Popup</span></a> <a href="https://mastodon.online/tags/Timeout" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Timeout</span></a></p>
Matthew Turland<p>If you had to explain <a href="https://phpc.social/tags/OAuth2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth2</span></a> to a relatively new SWE who only had a bit of experience interacting with public APIs from a frontend UI, are there any specific beginner-friendly online resources you'd recommend to them?</p><p><a href="https://phpc.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> <a href="https://phpc.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://phpc.social/tags/SoftwareEngineering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareEngineering</span></a> <a href="https://phpc.social/tags/SoftwareDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareDevelopment</span></a> <a href="https://phpc.social/tags/Education" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Education</span></a></p>
Joche Ojeda<p>Visual Studio Sign-In Issues: A Simple Fix (Fixing visual studio sign in error Code: 3399680404 )</p><p><a href="https://www.jocheojeda.com/2025/03/06/visual-studio-sign-in-issues-a-simple-fix-fixing-visual-studio-sign-in-error-code-3399680404/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">jocheojeda.com/2025/03/06/visu</span><span class="invisible">al-studio-sign-in-issues-a-simple-fix-fixing-visual-studio-sign-in-error-code-3399680404/</span></a></p><p><a href="https://mastodon.social/tags/VisualStudio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VisualStudio</span></a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.social/tags/SignInIssues" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SignInIssues</span></a> <a href="https://mastodon.social/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://mastodon.social/tags/DeveloperTools" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DeveloperTools</span></a> <a href="https://mastodon.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Programming</span></a> <a href="https://mastodon.social/tags/Troubleshooting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Troubleshooting</span></a> <a href="https://mastodon.social/tags/WindowsAuthenticationBroker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WindowsAuthenticationBroker</span></a> <a href="https://mastodon.social/tags/TechFix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TechFix</span></a> <a href="https://mastodon.social/tags/IDE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDE</span></a> <a href="https://mastodon.social/tags/AccountProblems" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AccountProblems</span></a> <a href="https://mastodon.social/tags/SoftwareDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SoftwareDevelopment</span></a></p>
Felix Palmen :freebsd: :c64:<p>Ok HOW HARD CAN IT BE? 🤬 </p><p>Currently trying to allow the <a href="https://mastodon.bsd.cafe/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> machine I got from work (domain member, very much locked up, no local admin for me) in my private <a href="https://mastodon.bsd.cafe/tags/wifi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wifi</span></a> network (using 802.11x <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> for <a href="https://mastodon.bsd.cafe/tags/WPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WPA</span></a> with <a href="https://mastodon.bsd.cafe/tags/freeradius" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freeradius</span></a> and <a href="https://mastodon.bsd.cafe/tags/PEAP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PEAP</span></a> using my own <a href="https://mastodon.bsd.cafe/tags/samba" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>samba</span></a> based AD).</p><p>I don't strictly *need* it, the machine connects to my open guest wifi (mapped to a VLAN with access *only* to the internet), but it would be really nice being able to also access my local services while working at home.</p><p>What I tried:</p><p>- Just login (PEAP/MSCHAPv2), obviously. After lots of fiddling and reading logs (freeradius as well as windows events), I found some docs suggesting Windows doesn't support that any more unless you fiddle with something in HKLM, so, no dice, need something else...<br>- Allow EAP-TLS as well and issue a client certificate for my user, install that on windows. Doesn't work, the machine insists on using the machine cert from the machine store.<br>- Create a client cert with the UPN of my user in my home network in SAN ... same issue<br>- Create a client cert with the UPN of my *work* user in SAN ...<br>- Ok screw that, get freeradius to accept that stupid machine certificate: Allow the internal CA of my workplace and *only* the CN of exactly the machine certificate.</p><p>Now, it still won't work and I really don't get it, seeing stuff like:</p><p>(13) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello<br>(13) eap_tls: (TLS) TLS - send TLS 1.1 Alert, fatal protocol_version<br>(13) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version<br>(13) eap_tls: ERROR: (TLS) TLS - Server : Error in SSLv3 read client hello B</p><p>It makes little sense and all fiddling with TLS options so far didn't make it work. For other clients using PEAP, it just works with both TLS1.2 and TLS1.3. WTF is going on here?</p>
Hacker News<p>Torii – a framework agnostic authentication library for Rust — <a href="https://github.com/cmackenzie1/torii-rs" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/cmackenzie1/torii-rs</span><span class="invisible"></span></a><br><a href="https://mastodon.social/tags/HackerNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HackerNews</span></a> <a href="https://mastodon.social/tags/Torii" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Torii</span></a> <a href="https://mastodon.social/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.social/tags/Library" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Library</span></a> <a href="https://mastodon.social/tags/Framework" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Framework</span></a> <a href="https://mastodon.social/tags/Agnostic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Agnostic</span></a> <a href="https://mastodon.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
julian<p>2FA codes sent over ActivityPub when?</p>
W3C Developers<p>The <span class="h-card" translate="no"><a href="https://w3c.social/@w3c" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>w3c</span></a></span> Federated Identity <a href="https://w3c.social/tags/WorkingGroup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WorkingGroup</span></a> aims to create specs for secure, <a href="https://w3c.social/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> friendly, and user-controlled <a href="https://w3c.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> and credential presentation<br>▶️ <a href="https://www.w3.org/groups/wg/fedid/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">w3.org/groups/wg/fedid/</span><span class="invisible"></span></a></p><p>Their updated charter introduces the Digital Credentials <a href="https://w3c.social/tags/API" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API</span></a>, which facilitates user agents in managing access to and presenting digital <a href="https://w3c.social/tags/credentials" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>credentials</span></a>, such as a driver's license, government-issued ID, or other forms of digital credentials.</p><p>🎬 Find out more about this work by <span class="h-card" translate="no"><a href="https://mastodon.social/@sphcow" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>sphcow</span></a></span>: <a href="https://youtu.be/GI3UTZJ0Ue4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/GI3UTZJ0Ue4</span><span class="invisible"></span></a></p>
Honeybadger.io<p>New on the HB dev blog:</p><p>Learn how to implement passwordless authentication in your Django projects using email-based login, OAuth, or magic links with django-sesame.</p><p><a href="https://www.honeybadger.io/blog/options-for-passwordless-authentication-in-django/?utm_source=mastodon&utm_medium=social" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">honeybadger.io/blog/options-fo</span><span class="invisible">r-passwordless-authentication-in-django/?utm_source=mastodon&utm_medium=social</span></a> </p><p><a href="https://honeybadger.social/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> <a href="https://honeybadger.social/tags/Django" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Django</span></a> <a href="https://honeybadger.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Programming</span></a> <a href="https://honeybadger.social/tags/WebDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDev</span></a> <a href="https://honeybadger.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload