My first impressions of web3 (Moxie Marlinspike)
https://moxie.org/2022/01/07/web3-first-impressions.html, posted Jan '22 by peter in cryptocurrency development finance networking opinion
When you think about it, OpenSea would actually be much "better" in the immediate sense if all the web3 parts were gone. It would be faster, cheaper for everyone, and easier to use. For example, to accept a bid on my NFT, I would have had to pay over $80-$150+ just in ethereum transaction fees. That puts an artificial floor on all bids, since otherwise you'd lose money by accepting a bid for less than the gas fees. Payment fees by credit card, which typically feel extortionary, look cheap compared to that. OpenSea could even publish a simple transparency log if people wanted a public record of transactions, offers, bids, etc to verify their accounting.
However, if they had built a platform to buy and sell images that wasn't nominally based on crypto, I don't think it would have taken off. Not because it isn't distributed, because as we've seen so much of what's required to make it work is already not distributed. I don't think it would have taken off because this is a gold rush. People have made money through cryptocurrency speculation, those people are interested in spending that cryptocurrency in ways that support their investment while offering additional returns, and so that defines the setting for the market of transfer of wealth.
Using Let's Encrypt for internal servers
https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/, posted Dec '21 by peter in development howto networking security toread
But while there are many tools to automatically renew certificates for publicly available webservers (certbot, simp_le, I wrote about how to do that 3 years back), it's hard to find any useful information about how to issue certificates for internal non Internet facing servers and/or devices with Let's Encrypt.
Visual guide to SSH tunnels
https://robotmoon.com/ssh-tunnels/, posted 2021 by peter in communication howto networking reference security
This page explains use cases and examples of SSH tunnels while visually presenting the traffic flows.
GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates
https://github.com/FiloSottile/mkcert, posted 2020 by peter in automation development networking security
mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.
SSH Agent Explained
https://smallstep.com/blog/ssh-agent-explained/, posted 2020 by peter in communication howto networking reference security
The SSH agent is a central part of OpenSSH. In this post, I'll explain what the agent is, how to use it, and how it works to keep your keys safe. I'll also describe agent forwarding and how it works. I'll help you reduce your risk when using agent forwarding, and I'll share an alternative to agent forwarding that you can use when accessing your internal hosts through bastions.
/bin/bash based SSL/TLS tester: testssl.sh
https://testssl.sh/, posted 2019 by peter in free networking security shell software testing
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Application-Layer DDoS Attack Protection with HAProxy - HAProxy Technologies
https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/, posted 2018 by peter in howto networking performance toread
In this blog post, we’ll demonstrate how the HAProxy load balancer protects you from application-layer DDoS attacks that could, otherwise, render your web application dead in the water, unreachable by ordinary users. In particular, we’ll discuss HTTP floods. An HTTP flood operates at the application layer and entails being immersed with web requests, wherein the attacker hopes to overwhelm your application’s capacity to respond.
CAA Mandated by CA/Browser Forum
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum, posted 2017 by peter in communication networking security
The fact that any CA can issue a certificate for any domain name is commonly cited as the weakest aspect of the PKI ecosystem. Although CAs want to do the right thing, there are no technical controls that prevent them from doing whatever they chose to do. That’s why we say that the PKI ecosystem is a weak as the weakest link. With hundreds of CAs, there are potentially many weak links.
CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. It operates via a new DNS resource record (RR) called CAA (type 257). Owners can restrict certificate issuance by specifying zero or more CAs; if a CA is allowed to issue a certificate, their own hostname will be in the DNS record. For example, this is what someone’s CAA configuration could be (in the zone file):example.org. CAA 128 issue "letsencrypt.org"
SSL and TLS 1.0 No Longer Acceptable for PCI Compliance
blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/, posted 2016 by peter in communication networking security
The PCI Council says you must remove completely support for SSL 3.0 and TLS 1.0. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2.
However, TLS 1.1 can be acceptable if configured properly. The Council points to a NISTpublication that tells you how to do this configuration.
Is there an Internet-of-Things vigilante out there? | Symantec Connect
www.symantec.com/connect/blogs/there-internet-things-vigilante-out-there, posted 2015 by peter in communication hardware linux networking security
Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.