NLnet sponsors development of WPA3 support for OpenBSD
The NLnet foundation has sponsored a project to add WPA3 support to OpenBSD, support which in turn can be used by other operating systems. This project delivers the second open-source implementation of WPA3, the current industry standard for Wi-Fi encryption, specifically for the OpenBSD operating system. Its code can also be integrated by other operating systems to enable modern Wi-Fi encryption, thereby enhancing the div … ⌘ Read more
** Encrypt & Decrypt Database Fields in Spring Boot Like a Pro (2025 Secure Guide)**
“Your database backup just leaked. Is your data still safe?”
[Continue reading on InfoSec Write-ups »](https://infos … ⌘ Read more
How to break RSA? A guide for Hackers and CTF players to crack the RSA encryption algorithm ⌘ Read more
@prologic@twtxt.net Where do I stand on “Chat Control”? How long of a response/rant do you want? 😅 It’s a disaster. As I understand it, they want to spy on me directly on my devices before encryption even happens – jfc, no, fuck off. And since there are so many devices, they want to automate the scanning, which is the worst idea you could possibly have.
Oh man, if the EU actually rolled out this horribd idea called ChatControl that actually threatens the security and privacy of secure e2e encrypted messaging like Signal™, fuck me, I’m out 🤦♂️ I’ll just rage quit the IT industry and become a luddite. I’m out.
How I Captured a Password with One Command
Many beginner-friendly sites or older web applications still use HTTP, which transmits data without encryption.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/why-htt … ⌘ Read more
MITM HTTPS Payload with Python
A lightweight MITM tool for monitoring encrypted traffic and detecting threats powered by AI and built in Python
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/mitm-https-payload-with-python-499ebf8e933f?source=rss—-7b722bfd1b8d— … ⌘ Read more
Crypto Failures | TryHackMe Medium
Questions: What is the value of the web flag? What is the encryption key? Solution: We are firstly given an IP address. I preformed a…
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/crypto-failures-tryhackme-medium-d60d55b849 … ⌘ Read more
↳
In-reply-to
»
@bender Sure! 👍
⤋ Read More
@bender@twtxt.net It’s still a straight-through to the Eris backend that itself uses a Let’s Encrypt cert now. Haven’t tried to also terminate TLS at the Edge yet.
How Backups Can Break End-to-End Encryption (E2EE) ⌘ Read more
Let’s Encrypt: Why You should (and Shouldn’t) use free SSL certificates
Free, fast, and secure — but is Let’s Encrypt the right SSL solution for your website?
[Continue reading on InfoSec Write-ups »](https://infosecwriteup … ⌘ Read more
DragonFlyBSD 6.4.1 released
It has been well over two years since the last release of DragonFlyBSD, version 6.4.0, and today the project pushed out a small update, DragonFlyBSD 6.4.1. It fixes a few small, longstanding issues, but as the version number suggests, don’t expect any groundbreaking changes here. The legacy IDE/NATA driver had a memory leak fixed, the ca_root_nss package has been updated to support newer Let’s Encrypt certificates, the package update command will no longer delete an importa … ⌘ Read more
Today I added support for Let’s Encrypt to eris via DNS-01 challenge. Updated the gcore libdns package I wrote for Caddy, Maddy and now Eris. Add support for yarn’s cache to support # type = bot and optionally # retention = N so that feeds like @tiktok@feeds.twtxt.net work like they did before, and… Updated some internal metrics in yarnd to be IMO “better”, with queue depth, queue time and last processing time for feeds.
↳
In-reply-to
»
(#3lokkza) Seem like it's a server-client thingy? 🤔 I much prefer tools in this case and defer the responsibility of storage to something else. I really like
⤋ Read More
restic for that reason and the fact that it's pretty rock solid. I have zero complaints 😅
I haven’t gotten very far with my experiments, yet. To be honest, I’m still not 100% sure if I want to trust that encryption. 😅 The target server will be completely out of my control … it is a real possibility that the (encrypted) data will leak at some point. Hm.
↳
In-reply-to
»
@lyse It wasn’t our building, yeah, luckily. But I’m pretty scared it might happen some day. I think I’ll put more effort into preparing for that. But whatever I do, it would be horrific to lose all your stuff and the memories attached to it …
⤋ Read More
On top of my usual backups (which are already offsite, but it requires me carrying a hard disk to that other site), I think I might rent a storage server and use Borg. 🤔 Hoping that their encryption is good enough. Maybe that’ll also finally convince me to get a faster internet connection. 😂
@andros@twtxt.andros.dev how often do you send a private message on the Fediverse? How often do you send PGP/SMIME encrypted emails? Are there other tools that are more suitable for the task? If implementing direct/private messages on twtxt scratches an itch (you know, that hobbyist itch we all get from time to time), then don’t give up so easily. Worse comes to worse, and your feed becomes too noisy, people can simply unfollow/mute.
I really don’t care about direct messages here, but I might be on that bottom 1%!
A Complete Guide to Securing Secrets in AWS Lambda
Learn how to securely manage secrets in AWS Lambda using environment variables, KMS encryption, Secrets Manager, and more.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/a-c … ⌘ Read more
Let’s Encrypt ends support for expiration notification emails
Since its inception, Let’s Encrypt has been sending expiration notification emails to subscribers that have provided an email address to us. We will be ending this service on June 4, 2025. ↫ Josh Aas on the Let’s Encrypt website They’re ending the expiration notification service because it’s costly, adds a ton of complexity to their systems, and constitutes a privacy risk because of all the email addresses the … ⌘ Read more
Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then sold to third parties for targeted ads.
From Siri “unintentionally” recorded private convos; Apple agrees to pay $95M https://arstechnica.com/tech-policy/2025/01/apple-agrees-to-pay-95m-delete-private-conversations-siri-recorded/
I’m not sure I’m convinced Apple is really that much better than the other big tech companies when it comes to this kind of thing. Their reputation is better and they do seem to be better about things like on-device encryption, but then stories like this come out.
↳
In-reply-to
»
Lol. "Lighty Encrypted" https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed
⤋ Read More
Oof, is it any wonder some of us don’t want to just give out our info online willy-nilly.
Also that credit card ‘encryption’ will likely land that company in very hot water, no doubt far away from PCI DSS requirements.
Lol. “Lighty Encrypted” https://www.pcmag.com/news/hot-topic-breach-confirmed-millions-of-credit-cards-email-addresses-exposed
@prologic@twtxt.net a signature IS encryption in reverse. If my private key becomes compromised then they can impersonate me. Being able to manage promotion and revocation of keys needed even in a system where its used for just signatures.
@shreyan@twtxt.net What do you mean when you say federation protocol?
Either use webfinger for identity like mastodon etc. or use ATproto from Bluesky (or both?)
We can use webmentions or create our own twt-mentions for notifying someones feed (WIP code at: https://github.com/sorenpeter/timeline/tree/webmention/views)
I’m not sure we need much else. I would not even bother with encryption since other platforms does that better, and for me twtxt/yarn/timeline is for making things public
how would that work with your encryption keys? you send them to a server that hopefully you control?
@lyse@lyse.isobeef.org I have read the white papers for MLS before. I have put a lot of thought on how to do it with salty/ratchet. Its a very good tech for ensuring multiple devices can be joined to an encrypted chat. But it is bloody complicated to implement.
An official FBI document dated January 2021, obtained by the American association “Property of People” through the Freedom of Information Act.
This document summarizes the possibilities for legal access to data from nine instant messaging services: iMessage, Line, Signal, Telegram, Threema, Viber, WeChat, WhatsApp and Wickr. For each software, different judicial methods are explored, such as subpoena, search warrant, active collection of communications metadata (“Pen Register”) or connection data retention law (“18 USC§2703”). Here, in essence, is the information the FBI says it can retrieve:
Apple iMessage: basic subscriber data; in the case of an iPhone user, investigators may be able to get their hands on message content if the user uses iCloud to synchronize iMessage messages or to back up data on their phone.
Line: account data (image, username, e-mail address, phone number, Line ID, creation date, usage data, etc.); if the user has not activated end-to-end encryption, investigators can retrieve the texts of exchanges over a seven-day period, but not other data (audio, video, images, location).
Signal: date and time of account creation and date of last connection.
Telegram: IP address and phone number for investigations into confirmed terrorists, otherwise nothing.
Threema: cryptographic fingerprint of phone number and e-mail address, push service tokens if used, public key, account creation date, last connection date.
Viber: account data and IP address used to create the account; investigators can also access message history (date, time, source, destination).
WeChat: basic data such as name, phone number, e-mail and IP address, but only for non-Chinese users.
WhatsApp: the targeted person’s basic data, address book and contacts who have the targeted person in their address book; it is possible to collect message metadata in real time (“Pen Register”); message content can be retrieved via iCloud backups.
Wickr: Date and time of account creation, types of terminal on which the application is installed, date of last connection, number of messages exchanged, external identifiers associated with the account (e-mail addresses, telephone numbers), avatar image, data linked to adding or deleting.
TL;DR Signal is the messaging system that provides the least information to investigators.
I setup Joplin with caddy as the WebDAV server. Works okay. The e2e encryption can get messed up sometimes. Supports markdown and images.
**RT by @mind_booster: 1/3 🚨Recent @POLITICOEurope leak revealed that US & EU officials have agreed to cooperate on measures to turn public opinion against #encryption.
Experts’ statements by @edri & @globalencrypt have called out against this plan
➡️https://edri.org/our-work/eu-us-plan-offensive-to-legitimise-police-access-to-data-civil-society-responds-amid-growing-fears-press-release/
➡️https://www.globalencryption.org/2023/04/statement-on-eu-us-cooperation-against-encryption/**
1/3 🚨Recent [@POLITICOEurope](https … ⌘ Read more
PSA: DMs on social media sites are not truely PMs. This is why we have a separate tool for private messaging from yarn. Always remember, if you don’t own the infra (or the parts at the ends of e2e encryption) you don’t own the data. and the true owners can view it any way they want!
https://twitter.com/TinkerSec/status/1587040089057759235?t=At-8r9yJPiG6xF17skTxwA&s=19
I maintain keys for my email addresses.. but like most in this thread i almost never receive encrypted emails.. other than the BTC exchange i use that sends automated mail encrypted.
**RT by @mind_booster: ½ 📢The Commission wants to do the impossible of detecting illegal content in end-to-end encrypted communications, but has no idea how to do this (because it IS impossible).
Solution: leave it to service providers under the guise of technological neutrality.**
½ 📢The Commission wants to do the impossible of detecting illegal content in end-to-end encrypted communications, but has no idea how to do this (because it IS impossible).
Solution: leave it to service providers under the guise of te … ⌘ Read more
↳
In-reply-to
»
Spent the weekend with the state Democrats at our platform convention. Good work and glad to have participated, but 20 hours of zoom over 60 hours is a lot of zoom.
⤋ Read More
It’s the (roughly) bi-annual platform convention. I think the new platform does a good job of holding to progressive values (even if I wish it went farther in places). I got an amendment in to improve our stance on encryption-related issues, which was nice.
@lyse@lyse.isobeef.org there was an old tool for encrypted volumes that you could use random files as the unlock keys. And you could havemultiple hidden volumes that would unlock depending on the files supplied
@fastidious@arrakis.netbros.com Yeah.. mine is all server side.. so it doesn’t make much sense to be encrypt/decrypting anything. :D
↳
In-reply-to
»
Below a signed (https://keys.pub) message:
⤋ Read More
@prologic@twtxt.net
BEGIN SALTPACK ENCRYPTED MESSAGE. kiNJamlTJ29ZvW4 RHAOg9hm6h0OwKt iMGN9pY3oc5peJE UcRA8ysyQ7e8co9 shMfScCFgmQgU5Q 6w6XD2FT6szO1i1 N8qWqFRwJcHliqp hlaSvsTNhuwe1Fs KESywjL8ZvxNeyb ro0RVcRIip4Itpv NKvFZ822RoDR6pb hVvSqgubr3IanFT 6VAGQe2mYvErE7i G0O284HNvj0tcbC qzY0uB3ZFePu2fp l8nHOeEm9QLkH4Y PNKY2bXjqtblDGq 7pNiNHXtNJDjrpG nUoEXK9CaB6DGe7 oaF1P9sTz7fFrUo qwIgzw4Z1yqULQW 6dcFgsGwQEMc6bV mXuJHkrDWbfw35o 2Lpevp4PAVw884t 5Jf4cDLAe3QfRjG 4y6uwJg8BwIr2Lb 2pCX23ffwJ0yjGs Ptyzuaq2Alfl3QX AcMNGFzTNHjHfqY cvsoTrSMbyE3ssS A0k0zeRJQLoGOK4 DGkdltMXaQyXq9d zzbueCXCsIM1vYG vcy85vKuqM0ikoG caUNUuIVCc6FMs5 2JtadCtbVKyG8Wx Z4R672Fd71eDjCc lEtCdJlEAmEJePw ThkxVJutJt2R2Ce lKp9tEKmrx1jMWW V8hJNTaQGAfFDEB Unh8YasaV24NqAi GKSnstFWk3DYCxC lvws9js2jJ9OKeq 2mMgFmzEmCr99RW 2CrxZStPpB1iEDU d0Un7W7bnyo2KpV xqe8rCeHA6CUwVs 0XMmxPvU1Q0wp9A 0Jwxo5CY9QF5EJl yVwaXiVP2CKw2aH tqEE5yTp9OmpNF0 jFqgr8vHOjosPyL c3nke0S9QFjAxjt Dr6xwYpnASDr1l1 N96G3FB5iVYLFaz FkXGm7oQNTaDY8e OtHXQiXRhQY3PCi VIYYVhc9RExVnfX fvzgfgc5uSxUynD sPp4eq2rJXkX5. END SALTPACK ENCRYPTED MESSAGE.
Let’s see how resilient this is, or if it breaks.
↳
In-reply-to
»
i have no clue how salt works :|
⤋ Read More
-----BEGIN CRYPTUTIL ENCRYPTED MESSAGE-----
l0GwFAQpx3ed+bZlcQ+pexbynFzZOm8EI/FivGbWQ16whyTkToVv8S2GSAjrsJoT
37MdaBDpoitli/f/aP130b6O6SnK/LdHHJ1DTvWgxB14sq9b4mRtk7HvYzA=
-----END CRYPTUTIL ENCRYPTED MESSAGE-----
@prologic@twtxt.net Ok.. so using NaCL boxes. yeah its just a combo of using secretbox with a generated key/nonce. and then using the pubkey box to encrypt the key/nonce for each device.
@prologic@twtxt.net sender generates an AES key encrypts message. gets the device list for user and encrypts key for each device. sends the encryptedkeys+cypertext.
@prologic@twtxt.net for encryption. we can have browser/app generate ec25519 keypair. store the private on device and add pub to list of devices for the user on pod.