This time it's Mozilla. They apparently forgot to regenerate some certificates used in signing add-ons and they all stopped working.
https://www.reddit.com/r/firefox/comments/bkfte9/if_you_have_issues_with_your_addons_being_marked/
This time it's Mozilla. They apparently forgot to regenerate some certificates used in signing add-ons and they all stopped working.
https://www.reddit.com/r/firefox/comments/bkfte9/if_you_have_issues_with_your_addons_being_marked/
So our company procured, after years of selection and testing, a tool to manage shared passwords (where a team needs access to systems that cannot be easily connected to the federated authentication). So I tried to add the secrets for the service principal and the technical user in there and
⸘Warum, kurwa‽
… the “password” in this case is a “client secret” and is (hopefully) randomly generated by the Azure API, so I can't choose whether it will start with a digit or not.
PS: Note the bonus Engrish.
@Polygeekery I doubt you'll make friends that way, because:
@sh_code It's not JavaScript that's kidding you:
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/time.h.html:
The <time.h> header shall declare the tm structure, which shall include at least the following members:
int tm_sec Seconds [0,60].
int tm_min Minutes [0,59].
int tm_hour Hour [0,23].
int tm_mday Day of month [1,31].
int tm_mon Month of year [0,11].
int tm_year Years since 1900.
int tm_wday Day of week [0,6] (Sunday =0).
int tm_yday Day of year [0,365].
int tm_isdst Daylight Savings flag.
Javascript just passes those values on.
I would, however, grant you that the getDate
for day and getDay
for day-of-week is somewhat silly.
@obeselymorbid Healthy Living hasn't been available in most of the world for almost two years now
I just got
from GitHub.
How on $planet does GitHub suddenly decide that an account that exists for some years, has repositories, has comments in many bug reports that are not being marked as spam, has integrated merge requests and is member of two organizations is not a human?
@pcooper said in Is there a guide to certificate algorithms?:
If you're looking for something a little more authoritative than what I as a random person on the Internet says, then I'd suggest looking at Mozilla's configuration recommendations:
Thanks, that's what I was looking for.
If you're a bit more paranoid, it's worth noting that the NSA's guidance as of a few years ago was to use P-384 or 3072-bit RSA for securing government systems, as they didn't seem to think P-256 or 2048-bit RSA was good enough, though I haven't seen any compelling reasons as to why.
Yeah, the Mozilla page says there ain't much of a difference and P-256 should be enough.
It's also worth knowing that ECDSA uses curves that have parameters hand-picked by NIST, and so doesn't qualify as a "Safe Curve". I figure if the US government recommends the military use it for important things then it can't be too bad, but just throwing that out there.
Perhaps they are confident they are the only ones who know the weakness .
That's the main argument I'm aware of for using Ed25519 instead, but it isn't generally supported by CAs/browsers/etc. for "normal" TLS yet (which I'm guessing isn't due to a vast conspiracy, but one never knows…).
My guess is that some of the implementors didn't want to bother with the separate imlementations that curve uses.
@BernieTheBernie said in From Pure Windows 7 to Linux Dual Boot:
@BernieTheBernie said in From Pure Windows 7 to Linux Dual Boot:
Oddly, RDP (xrdp on kde standard) feels a little sluggish. Much slower than the Windows 11 machine.
"A little sluggish". Uhm, actually terrible.
Why tf is it so sluggish?
When I move a window around on the screen, the Windows 11 machine shortly bursts data sending to about 1 Mbps. For a moment only.
But the Debian 12 machine... sends 6 Mbps for several seconds.
Why? But why?
My guess is because compositing is turned on.
Windows, with both window manager and the RDP included in the system install, is smart enough to turn off compositing when using remote desktop and/or sharing the desktop, but in Linux, rdp is a niche use-case—most people either use terminal only, X forwarding over ssh, or xpra—and the window manager (I'm guessing kwin-x11 in your case) is a separate package, so it is not smart enough to turn it off.
Well, it should turn it off in a VM because it does not have anything to support hardware acceleration in the first place, but it probably isn't smart enough for that either, because the authors never tested it on a box without at least somewhat modern graphics card.
@Tsaukpaetra said in From Pure Windows 7 to Linux Dual Boot:
Weird, I don't remember that, I might have to spin up a machine to see what happens on mine...
If you use an older or simpler window manager that doesn't do compositing, or doesn't do it by default, then you wouldn't have the problem.
Apropos xpra, I used it locally for apps in containers, which is obviously fine, but the one time I tried it for actual remote access to Azure VM, it was pretty slow too. But that setup had something like two nested SSH tunnels over two nested VPNs, so the problem was almost certainly that the connection was just overall horribly slow. Since it was forwarding just the specific application, compositing didn't come into play, but lack of hardware acceleration still might have been too, the app might have been trying to use it too—in X11, most of the OpenGL APIs will be there even if there is no acceleration, it'll just be very slow.
@LaoC said in Hacking News:
I see no reason to switch. Supposedly the algorithm is faster (which doesn't matter at all in SSH), but DJB & Tanja Lange say it's crap and quite a few things coming out of NIST turned out to be smelly so I would prefer not to.
The https://safecurves.cr.yp.to/ (by DJB & Lange) lists the NIST P-256 and P-384 as manipulatable, because they include an unexplained pseudo-random constant, but it does not list the P-521. It does list “E-521”, which someone said is the same curve here, but https://neuromancer.sk/ doesn't seem to agree (P-521, E-521).
@Zecc said in In other news today...:
Just when I thought I couldn't hate advertisers more than I do.
Advertising is both the driving force of modern society and its future downfall.
Without advertising, people wouldn't be buying a lot of the shit they do, because it wouldn't even cross their minds they could want something like that, which would mean economy wouldn't grow as fast and the progress would be slower, though we'd probably have more time on our hands. But with advertising getting ever more aggressive as it is wont to get, we'll sooner or later drown in useless junk and visual and audible smog.
… it crossed my mind to check what CFSSL supports[1]¹, and it looks like they offer:
rsa
) size ∈ 〈2048, 8192〉 bitsecdsa
) size ∈ {256, 384, 521} (the P-256, P-384 and P-521 curves)ed25519
) (size ignored, it's just one curve)so that's probably the set that's actually usable. If Microsoft support EC at all, that is.
And their default is actually ecdsa
size 256.
¹ Use the source, Luke. I didn't even bother trying the documentation, I already know it sucks.
@dkf It is completely irrelevant that it can also be using a non-ssh transport, the point is it is using a different implementation of ssh transport than the one affected by the security advisory.
@Carnage said in The Official Funny Stuff Thread™:
English is NOT THIS crazy.
The pronunciation changes over time a lot faster than the spelling, which is held fixed by by long history of written texts, especially literature. But the pronunciation doesn't change randomly, there are patterns to it, and therefore the correspondence from letters to sounds does follow those patterns. Not very regularly, and there are several ways some phonemes could evolve, but it still isn't just random.
@DogsB And that's supposed to be news to whom, exactly? I thought everybody (who cared at least somewhat anyway) already knows that.
Everybody I know has always been generating X.509 (TLS) certificates using algorithm¹ RSA
, because it's traditional and because it only takes one parameter, the size.
But recently I've seen some proposal that stipulated algorithm¹ EC
with curve secp384r1
² for a project CA, also stating other algorithm like Ed25519
might be considered for the subordinate keys, and we just discussed vulnerability concerning P-521, which openssl would know as EC
secp521r1
, in putty.
The matter is further complicated by the fact that
keyUsage
.Does anybody know of a guide on what to use for which purpose, usable by average developer or devops engineer? My google/duck/etc.-fu is failing me.
¹ As in openssl genpkey -algorithm
option.
² The -pkeyopt ec_paramgen_curve:
option.