101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

486
active users

#tls

2 posts2 participants0 posts today

Hello, I’m hosting a #Vaultwarden server behind #Caddy 2.10 and made the following test:

Tuning Caddy to allow only #PQC curves:

	tls {
		curves x25519mlkem768
	}

Trying to connect with #Firefox Mac -> OK
Trying to connect with #Bitwarden #android client -> Fail

Without the #TLS tuning, the Bitwarden Android client will happily connect to the server.

Is it a problem with the Bitwarden Android client or with Android, or both?

A recent research has exposed more than 40 * 10³ IoT cameras happily showing their feed _and_ location to anyone who can browse and use search engines specialized in the indexing of the misconfigured devices.

More than 14 * 10³ are localised in the USA.

Read more here.

Note:
I know that there are more than a million of these cameras world wide misconfigured an open on just port 80 http not even TLS 443, with admin / admin as credentials 🪪

theregister.com/2025/06/10/400

More interesting progress trying to make #swad suitable for very busy sites!

I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed. 😆

So I read some scientific papers 🙈 ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. 🤩 Maybe it could do even more, didn't try yet.

Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...

(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: dl.acm.org/doi/10.1145/248052.

Continued thread

Solved! 🥳

This was a pretty "interesting" bug. Remember when I invented a way to implement #async / #await in #C, for jobs running on a threadpool. Back then I said it only works when completion of the task resumes execution on the *same* pool thread.

Trying to improve overall performance, I found the complex logic to identify the thread job to put on a pool thread a real deal-breaker. Just having one single MPMC queue with a single semaphore for all pool threads to wait on is a lot more efficient. But then, a job continued after an awaited task will resume on a "random" thread.

It theoretically works by making sure to restore the CORRECT context (the original one of the pool thread) every time after executing a job, whether partially (up to the next await) or completely.

Only it didn't, at least here on #FreeBSD, and I finally understood the reason for this was that I was using #TLS (thread-local storage) to find the context to restore.

Well, most architectures store a pointer to the current thread metadata in a register. #POSIX user #context #switching saves and restores registers. I found a source claiming that the #Linux (#glibc) implementation explicitly does NOT include the register holding a thread pointer. Obviously, #FreeBSD's implementation DOES include it. POSIX doesn't have to say anything about that.

In short, avoiding TLS accesses when running with a custom context solved the crash. 🤯

#commonLisp #emacs #smallweb #kitten screwlisp.small-web.org/kitten #webdev

Eev (and lisp secret alien technology) made it /really/ easy and convenient to generate a kitten matching @aral's Tutorial 2: dynamic pages, kitten.small-web.org/tutorials serve it and visit it inside emacs (just press F8 over and over again and it happens on its own).

I guess you can do it too...? What do you think? How much of a Hurkle itch is this giving you Aral ;p. It seems /really/ easy to get a fancy! #tls site up like this.

Уведомления о сертификатах в феди

Логи Certificate Transparency — это публично доступные криптографически заверенные списки всех TLS-сертификатов, выданных ЦСами.

Если третье лицо или недобросовестный ЦС сгенерирует сертификат на ваш домен, получая возможность проводить митм-атаки, об этом можно почти сразу узнать из CT-логов.

Но собирать огромные списки с нескольких источников самому — не особо полезное и быстрое занятие. Для этого есть мониторы. Один из доступных без регистрации — crt.sh, только хотелось бы автоматических уведомлений, а не проверки страницы результатов поиска вручную.

Представляю вам @crtsh

Это федивёрс-бот, который регулярно проверяет CT-список crt.sh по указанным в конфиге доменам и отправляет пост с пингом админа домена, когда в списке появляется новый сертификат.

Бонус: если до конца срока действия последнего выданного сертификата осталось меньше 6 дней, бот тоже об этом сообщит.

Исходный код: https://git.dc09.ru/DarkCat09/crtsh-gts

Напишите мне в ЛС домен и феди-аккаунт для уведомлений, если хотите, чтобы я добавил его в свой инстанс бота, либо захостите crtsh-gts у себя (если что, не проверял с мастодоном, ориентировался только на апи гтса), селфхост должен быть вполне straightforward/простым-понятным.

#web #tls #безопасность
#федиверс #бот @rf

certificate.transparency.devCertificate Transparency : Certificate TransparencyCertificate Transparency

🔒 Auto Encrypt – heads up!

In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².

The change³ should be seamless.

If you have any concerns, now is the time to raise them :)

#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb

¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (codeberg.org/small-tech/auto-e)
² datatracker.ietf.org/doc/draft
³ codeberg.org/small-tech/auto-e

Codeberg.orgauto-encryptAutomatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.

👋🤓 Goodbye Site.js, Hello Kitten!

I started working on creating a Small Web¹ server (a peer-to-peer Web server) six years ago² with Site.js.

Building Site.js was my first attempt. And it resulted in:

• Auto Encrypt (automatic Let’s Encrypt certificates): codeberg.org/small-tech/auto-e

• Auto Encrypt Localhost (automatic localhost TLS certificates): codeberg.org/small-tech/auto-e

• @small-tech/https (drop-in Node.js https module replacement with automatic TLS certs everywhere): codeberg.org/small-tech/https

• JSDB: In-process, in-memory JavaScript database that persists to append-only JavaScript logs: codeberg.org/small-tech/jsdb

As Site.js reached an evolutionary dead-end, and as I learned from my experiements with replicated data types that replicated data types are *not* a prerequisite for a decentralised web (actual topological decentralisation and ease of use are), I started writing a new server/platform called Kitten from scratch while still making use of the tried and tested modules listed above.

Last week, I switched over our last site using Site.js to Kitten and, with that, today I’ve sunset³ Site.js:

sitejs.org

For its successor, please see Kitten:

kitten.small-web.org

If you want to support our work at the Small Technology Foundation, please consider becoming a patron:

small-tech.org/fund-us

:kitten:💕

¹ ar.al/2024/06/24/small-web-com
² ar.al/2019/08/26/introducing-s
³ Using our instance of Look Over There!: look-over-there.small-web.org

🔐 How can you keep your online data safe?
Whether you’re a web developer, IT professional, or simply interested in online security, our YouTube video will give you the confidence and know-how to secure your online presence using TLS SAN Certificates.
Discover how Subject Alternative Name (SAN) extensions make it possible to encrypt multiple domain names with just one TLS certificate.

#TLS #SAN

visit: youtu.be/R5jdnZyusew for more details.