101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

475
active users

#letsencrypt

8 posts8 participants0 posts today
Replied in thread

@farshidhakimy @aral Absolutely — you're right, this isn’t a brand-new concept. Cloudflare's cert on 1.1.1.1 is a great example of a legitimate use case for IP-based certificates, especially in infrastructure-focused services like public DNS.

And yes, other CAs have issued certs for IP addresses before Let's Encrypt started doing it — so it’s not unprecedented. The shift here is more about accessibility and scale. Let’s Encrypt offering free certs for public IPs means this capability is now much more widely available, even to actors who previously didn’t have the budget or motivation to go through commercial CAs.

That’s where the risk discussion comes in — not that certs for IPs are inherently bad, but that easier issuance could lower the barrier for phishing kits, command-and-control servers, or shady hosts to appear more “legitimate” with a valid HTTPS padlock, especially in contexts where URLs are masked or shortened.

So yeah, not panic-worthy — just something worth watching as it scales.

1.1.1.11.1.1.1 — The free app that makes your Internet faster.Install the free app that makes your phone’s Internet more fast, private, and reliable.
Replied in thread

@marcuwekling Großartige Idee! Ich bin (eh schon) dabei! 🙃 #dutgemacht #ididit

Hier was ich derzeit schon so nutze:

- Eigener Mailserver #postfix #clamav #rspamd #roundcubemail #dovecot
- Notebooks auf #Linux
- #pfsense Firewall
- #thunderbird

Selber gehostete freie Dienste/Software derzeit:
- #Nextcloud
- #PaperlessNGX
- #Peertube
- #HomeAssistant
- #Mastodon
- #Matrix
- #Wordpress

Fremdgehostete freie Dienste:
- #pixelfed
- #bigbluebutton
- #letsencrypt

Leider kann ich meinen Windowsrechner noch nicht loswerden #gamer - aber das kommt bestimmt auch noch irgendwann... 🤞

Continued thread

Urgh I _still_ dislike dealing with TLS certs. The certificate on au.mirror.7bit.org/ expired earlier in the week, which was surprising because I thought I'd set everything up to automatically renew. Turns out I had, but I'd forgotten to include a Lego renew hook to restart nginx when the cert was renewed. Apparently I also didn't have monitoring of this cert (I do now) :facepalm:

Why is it that only Caddy and Traefik seem to have built in ACME clients?

au.mirror.7bit.orgau.mirror.7bit.org
#acme#tls#https
Replied to Aral Balkan

@aral wrote: "If your friends and family are trying to phish you, you have bigger problems."

Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.

The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.

As if phishing is not already the nr. 1 problem on the internet.

Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read infosec.exchange/@ErikvanStrat ?)

@letsencrypt

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Content warning: (long) Wrong order: RPKI first - WebPKI never?

Si vous utilisez #LetsEncrypt, vous avez sans doute reçu les messages « Let's Encrypt Expiration Emails Update » qui vous préviennent que cette AC n'enverra plus de rappels que vos certificats vont bientôt expirer. C'est parce qu'un meilleur système est maintenant disponible, #ARI.
ARI permet à une AC utilisant le protocole #ACME d'indiquer à ses clients des suggestions sur le renouvellement des certificats. Il est décrit dans ce #RFC.

bortzmeyer.org/9773.html

www.bortzmeyer.orgBlog Stéphane Bortzmeyer: RFC 9773: ACME Renewal Information (ARI) Extension

Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

Let's Encrypt Community Support · Do *NOT* remove TLS Client Auth EKU!I was also bit by this. I switched to tlsserver profile, and when my XMPP certificate got renewed today, it failed to make any S2S connections :(. I'd to revert to classic profile. Could we please keep TLS client auth EKU ? Thanks!