SVCB, Zodiak, Teams, DNS, RFC3161, Bias, Cloudflare, YAP!, Nym
Speeding up HTTPS and HTTP/3 negotiation with DNS (@ Cloudflare Blog)- I did enable HTTP/3 & QUIC a half a year ago or something with Firefox. And it caused annoying unexpected hangs. Now I'll retry if it's already good to go. Based on quick check, the only major site almost completely using HTTP/3 seems to be Google, Facebook and sites utilizing Cloudflare or Fastly. kw: SVCB/HTTPS, HTTPS DNS record type.
Some people say that it's not a bad thing if some issue is patched a few versions ago. No, it's a bad thing. Many people don't want to install any updates, because those constantly break and brick systems which were earlier working. So, if there's flaw, it doesn't matter it's patched. Because nobody really wants to install those fixes, which probably sabotage your system in so many other ways. Probability of being targeted by attackers and they exploiting the flaw, are much lower than the probability that update destroys your environment. I'm constantly unfortunately seeing this. From several vendors and software products. Microsoft, Teams, Office, Windows, Android Firefox, Android in general and so on. - There are no words saying how bad code Microsoft Teams is, it's absolutely total nightmare.
It was interesting to see that the Zodiak killers messages with quite a simple cipher yet it took this long to decrypt.
Microsoft Teams, now HTML tags in messages are leaking visible to end users in UI. Honestly, who makes this kind of ... Such great job again!
Helped a friend to setup DNS DB solution, where you can safely utilize ODoH to hide your IP-address and read, write and update key value data in database using DNS queries over DoH. Of course it also supports fallback using traditional DNS and DNSSEC. But using ODoH + DoH makes it really easy to utilize common protocols for creating a covert communication channel. I kind of liked the solution, helped with hosting provider selection, setup and testing. Didn't have time to help with documentation or the source code itself. But I did review the plan and consider related security aspects. All you need is DNS access, HTTP / HTTPS or TCP isn't required. + DNSSEC obviously. It's very similar to - dnsimple - dnstore (@ blog.dnsimple.com) / dnstore (@ GitHub). Yet dnsimple doesn't allow updates via DNS only to the database.
RFC3161 compliant Time Stamp Authority (TSA) (@ Wikipedia) and related Trusted timestamping (@ Wikipedia). Well there were discussion when something happened. If it's that critical to know when it happened, then it would make complete sense to know when it happened so it's clear. Another thing is signing messages. I've so many times seen that A claims something B claims something. How about checking the truth and telling which party is lying? That's also trivial, if it's so important to know the truth. - Added simple and automated implementation which retrieves timestamps for specific files, with hashes. So there's no need for this pointless discussion anymore.
About biased news sources: It's funny to check out two sites covering same news, but bit different twist. As example: balticnews.eu vs baltictimes.com (not linked on purpose). What's so funny? Well, the .eu site is hosted in Russia. I'm sure no actual baltic media would do that, unless it's aimed at Russian citizens living in Russia? Even so it would be strange choice. But the baltictimes.com is hosted in US, which is also quite strange choice thinking about all the good hosting options we've got in the Europe and even in the Baltic countries. There are several good and cheap hosting providers in Riga, Tallin and Vilnus. Then take a look at the headlines and see what the actual differences of the content are.
Cloudflare Pages (@ Cloudflare) and introduction (@ Cloudflare blog). It's awesome how there are going to be more and more publishing platforms with tight CDN integration. Also I bothered to check out the JAMstack (@ jamstack.org) for the very first time. Just like the combination of Backblaze + Fastly (@Backblaze's blog).
Tested YAP! OpenPGP on Android, but it seemed to have some UI bugs with recipient public key selection and messages ended up being undecipherable after encrypting. Fail. This didn't seem like a case to investigate further, invalid key-id and that's it. It's clearly broken. Even if the only key source being used was my public key. I made a bug report and soon the author contacted me and fixed the issues. This is exactly how things should work. Of course it would have been nicer, if it wouldn't have been broken to begin with.
Read about Nym and Loki new privacy networks, Nym does look slightly interesting. Have to read more detailed documentation about it. Many privacy tools seem to be some kind of blockchain stuff, instead of traditional mixnets. Also low latency requirement is well, a problem as we all know against powerful adversaries.