home.social
Sign in Create account

#x509 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #x509, aggregated by home.social.

  1. kravietz 🦇 @[email protected] ·

    #DigiCert customer support compromised with .scr ZIP attachment 🤷

    During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

    • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
    • Verokey High Assurance Secure Code EV

    https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

    #x509 #infosec

    #digicert #infosec #x509
  2. John Kristoff @[email protected] ·

    Weekend Reads

    * DDoS scrubbing in BGP
    labs.ripe.net/author/shyam-kri
    * Revocation of X.509 certs
    blog.apnic.net/2026/04/24/revo
    * Mobile telecom surveillance actors
    citizenlab.ca/research/uncover
    * Signalgate socio-technical analysis
    arxiv.org/abs/2604.19711
    * Inside a fake shops bulletproof host
    netcraft.com/blog/fibergrid-in

    #BGP #DDoS #X509 #Cellular #Signal #Infosec

    #bgp #ddos #x509 #cellular #signal #infosec
  3. Dataplane.org @[email protected] ·

    The Internet Last Week

    * DigiCert CA bundle expiry
    help.duo.com/s/article/9451
    * Various US DoD route updates
    cidr-report.org/cgi-bin/as-rep
    stat.ripe.net/widget/routing-h
    cidr-report.org/cgi-bin/as-rep
    stat.ripe.net/widget/routing-h
    cidr-report.org/cgi-bin/as-rep
    stat.ripe.net/widget/routing-h
    cidr-report.org/cgi-bin/as-rep
    stat.ripe.net/widget/routing-h
    * Quad9 enables DoH3 and DoQ
    quad9.net/news/blog/quad9-enab

    #DigiCert #X509 #BGP #USDoD #Quad9 #DNS

    #dns #quad9 #usdod #bgp #x509 #digicert
  4. Dataplane.org @[email protected] ·

    The Internet Last Week

    * IETF 125
    ietf.org/meeting/125/
    * Cuba power outage effects
    noc.social/@cloudflareradar/11
    mastodon.social/@IODA/11624604
    infosec.exchange/@dougmadory/1
    mastodon.social/@netblocks/116
    * IoT DDoS botnets disrupted
    justice.gov/usao-ak/pr/authori
    * Unallocated IP4 /13 announced
    infosec.exchange/@spamhaus/116
    bgp.he.net/net/102.224.0.0/13
    stat.ripe.net/widget/routing-h
    * CAs must perform DNSSEC validation
    cabforum.org/2025/06/18/ballot
    infosec.exchange/@mnordhoff/11

    #IETF125 #Cuba #Botnets #Bogons #DNSSEC #X509

    #x509 #dnssec #bogons #botnets #cuba #ietf125
  5. Pontiff Fractal Tiam @[email protected] ·

    RE: infosec.exchange/@paulehoffman

    Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

    When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

    #x509 #dns #dnssec #certificate

    #x509 #dns #dnssec #certificate
  6. Pontiff Fractal Tiam @[email protected] ·

    RE: abyssdomain.expert/@filippo/11

    An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.

    #ctlog #x509 #certificate

    #ctlog #x509 #certificate
  7. Ben Hardill @[email protected] ·

    So @letsencrypt have put out a new blog post about shorter lives for certs moving forward (45days by 2028), but I've still not seen any movement on deploying the "shortlived" profile (and as a result IP address certs) from their post back in July. It's all been up on the test Staging servers since then.

    Does anybody have any idea when this will finally go live?

    It's in the docs, but no mention that it is restricted to invited users only still

    letsencrypt.org/docs/profiles/

    #x509 #LetsEncrypt #ip

    #x509 #letsencrypt #ip
  8. Volker Stolz @[email protected] ·

    % openssl x509 -in /Applications/zoom.us.app/Contents/Resources/BBMMRoot.crt -text

    Validity
    Not Before: Feb 8 00:00:00 2010 GMT
    Not After : Feb 7 23:59:59 2020 GMT
    Subject: C=US, O=Thawte, Inc., CN=Thawte SSL CA

    🧐

    #Zoom #x509

    #zoom #x509
  9. Pontiff Fractal Tiam @[email protected] ·

    It's been over half a year and the Internet still seems to be working.

    Here's your regular reminder that #cname in #x509 is almost always irrelevant for the validation. If someone is using it, they are doing it wrong.

    #cname #x509
  10. Ype Kingma @[email protected] ·

    @petarov

    Fortunately the #python #cryptography library has good code examples on how to actually get a #pki to work.

    Roughly, #x509 provides one way trust and I need mutual trust in a distributed group.

    So I find myself working on x509 certificates for #wireguard. Wireguard works with a key pair at each tunnel end. Adding certs to that sounds conceptually easy, but for me it's a struggle.

    #python #cryptography #pki #x509 #wireguard
  11. Petar Petrov @[email protected] ·

    One of the most simultaneously useful and painful things you can ever learn in your IT/programming career is the X.509 standard.

    #programming #x509 #pki

    #programming #x509 #pki
  12. jcea @[email protected] ·

    Refrescar el certificado X.509 de una entidad de certificación para OpenVPN, manteniendo sus firmas previas como válidas

    blog.jcea.es/posts/20240521-re

    #OpenVPN #x509 #hack

    #openvpn #x509 #hack
  13. Ben Hardill @[email protected] ·

    @letsencrypt any more news on when the short lived profile (and IP address SAN entries) will go live on production?

    Or if I can get added to the test group?

    #X509 #LetsEncrypt #certificates

    #x509 #letsencrypt #certificates
  14. Ben Hardill @[email protected] ·

    Certbot only got a PR to enable IP address support with LetsEncrypt today.

    Does anybody know of a ACME client that has support?

    I want to test some things (both with LetsEncrypt and my local SmallStep CA)

    github.com/certbot/certbot/pul

    #ACME #certificates #CertBot #X509

    #acme #certificates #certbot #x509
  15. The one with the headscarf 🧕🏽 @[email protected] ·
    CW: work, crypto

    Okay, I finally figured out how this proof algorithm works on a mathematical layer.

    Now the pending question is whether we can describe a ECDSA signature as a mathematical function fulfilling the requirements of this algorithm in order to proof we *have* a signature of arbitrary data using a particular private key without *revealing* the signature itself.

    Damn. This is brainfuck. But this is *amazing* brainfuck. And damn, this algorithm is crazy.

    #matrix #X509 #crypto #ZKP

    #matrix #x509 #crypto #zkp
  16. Pontiff Fractal Tiam @[email protected] ·

    I was told that I'm too dumb to understand the threat of putting IP addresses in #x509 #cname, and after two months, the Internet seems to be working just fine.

    #x509 #cname
  17. CryptGoat @[email protected] ·

    RIP #Volksverschlüsselung, du wirst nicht vermisst werden! heise.de/news/Bald-ist-Schluss

    Warum wählen eigentlich Projekte, die verschlüsselte Kommunikation massentauglich machen wollen, regelmäßig so beknackte Nerd-Namen und -Akronyme? 🙄 Siehe auch p≡p.

    #Security #Encryption #SMIME #X509 #Fraunhofer

    #volksverschlusselung #security #encryption #smime #x509 #fraunhofer
  18. David Runge @[email protected] ·

    We have just released the first version of voa-core, a #RustLang library for access to verifiers in #VOA structures. 🎁 🦀

    crates.io/crates/voa-core/0.1.0

    VOA, short for "File Hierarchy for the Verification of OS Artifacts", is a way of providing and using verifiers for digital signatures in a stateless manner, for various cryptographic technologies:
    uapi-group.org/specifications/

    Thanks to @hko for his work on this and an upcoming #OpenPGP backend! 🥳

    #UAPIGroup #ArchLinux #DigitalSignature #SSH #X509 #STF

    #rustlang #voa #openpgp #uapigroup #archlinux #digitalsignature
  19. Habr @[email protected] ·

    Обзор нововведений Kubernetes 1.34: новая YAML-конфигурация и отслеживание здоровья устройств при DRA

    Сегодня официально выпустили новую версию Kubernetes — 1.34. Собрали обзор со всеми изменениями. Среди главных нововведений — отслеживание здоровья устройств при DRA, тонкая настройка рестарта контейнеров в подах, асинхронная обработка API-вызовов, нативная доставка сертификатов X.509 в поды и новая разновидность YAML для описания конфигураций.

    habr.com/ru/companies/flant/ar

    #kubernetes #dra #kyaml #x509 #device_health #container_restart_rules #emptydir #Asynchronous_API_calls #планирование_подов #NominatedNodeName

    #kubernetes #dra #kyaml #x509 #device_health #container_restart_rules
  20. Pontiff Fractal Tiam @[email protected] ·

    One year after it's acquisition by the dutch company Total Specific Solutions (#TSS), #Buypass terminates it's free #X509 certificate service. Another European alternative to #LetsEncrypt bites the dust. So much for the #EU #sovereignty.

    community.buypass.com/t/y4y130p

    #tss #buypass #x509 #letsencrypt #eu #sovereignty
  21. Jan Wildeboer 😷:krulorange: @[email protected] ·

    OK. Now that I understand how to create working S/MIME certificates for signed and/or encrypted eMail with my own Certificate Authority (CA), I can take it to the next level. Federated CAs. Decentralised trust relationships between CAs. smallstep.com/blog/step-v0.8.3

    #SelfHost #CA #x509 #nerdcert

    #selfhost #ca #x509 #nerdcert
  22. Jan Wildeboer 😷:krulorange: @[email protected] ·

    Happily sending around signed and encrypted emails that use S/MIME certificates that I created myself on my own CA. And as my mail server (that I also run myself) has DKIM, DMARC, SPF set up correctly, that also works. Nice!

    #SelfHost #CA #SMIME #x509 #eMail

    #selfhost #ca #smime #x509 #email
  23. Jan Wildeboer 😷:krulorange: @[email protected] ·

    So now that I have my own s/mime certificate generated and installed, here's the SHA256 fingerprint:

    19dae1a388af5c91e3dc53d89e3efdaef3f24878b9d37f809463ee801f3eae25

    Should you get an email from me, it will be signed and with this fingerprint you can verify that indeed it was me who sent it.

    I know almost no one will ever actually do this verification, but it is reassuring to me that you can :)

    #SelfHost #email #SMIME #CA #x509

    #selfhost #email #smime #ca #x509
  24. Jan Wildeboer 😷:krulorange: @[email protected] ·

    I have brain dumped the process at codeberg.org/jwildeboer/gists/ and will work on an extended version as blog post in the next few days. Big shoutout to @ben again for getting the process up and running in the first place!

    If you want to get a signed email from me to see what happens in your mail client, DM me an email address and I will send a s/mime signed email to you :)

    6/6

    #SelfHost #eMail #SMIME #CA #x509

    #selfhost #email #smime #ca #x509
  25. Jan Wildeboer 😷:krulorange: @[email protected] ·

    If I understand the whole s/mime stuff correctly, I can send you a signed email and your mail client should be able to extract my public key from that. You reply with a signed mail, I can extract your public key. Now we can send encrypted emails :) Your mail client/operating system won't trust my certificate as it is signed by my CA (Certificate Authority), but it should still work.

    5/6

    #SelfHost #eMail #SMIME #CA #x509

    #selfhost #email #smime #ca #x509
  26. Habr @[email protected] ·

    KEKS кодек и криптографические сообщения

    Данная статья напоминает о проблемах X.509 PKI и реализаций ASN.1. Предлагает компактный, быстрый, детерминированный, потоковый и простой формат кодирования данных KEKS, а также криптографические сообщения для подписи и шифрования данных с поддержкой пост-квантовых алгоритмов.

    habr.com/ru/articles/923810/

    #c #go #python #keks #asn1 #x509 #openssl #криптография #pqc #hpke #pgp #cms

    #cms #pgp #hpke #pqc #криптография #openssl
  27. Habr @[email protected] ·

    KEKS кодек и криптографические сообщения

    Данная статья напоминает о проблемах X.509 PKI и реализаций ASN.1. Предлагает компактный, быстрый, детерминированный, потоковый и простой формат кодирования данных KEKS, а также криптографические сообщения для подписи и шифрования данных с поддержкой пост-квантовых алгоритмов.

    habr.com/ru/articles/923810/

    #c #go #python #keks #asn1 #x509 #openssl #криптография #pqc #hpke #pgp #cms

    #cms #pgp #hpke #pqc #криптография #openssl
  28. Habr @[email protected] ·

    KEKS кодек и криптографические сообщения

    Данная статья напоминает о проблемах X.509 PKI и реализаций ASN.1. Предлагает компактный, быстрый, детерминированный, потоковый и простой формат кодирования данных KEKS, а также криптографические сообщения для подписи и шифрования данных с поддержкой пост-квантовых алгоритмов.

    habr.com/ru/articles/923810/

    #c #go #python #keks #asn1 #x509 #openssl #криптография #pqc #hpke #pgp #cms

    #cms #pgp #hpke #pqc #криптография #openssl
  29. Habr @[email protected] ·

    KEKS кодек и криптографические сообщения

    Данная статья напоминает о проблемах X.509 PKI и реализаций ASN.1. Предлагает компактный, быстрый, детерминированный, потоковый и простой формат кодирования данных KEKS, а также криптографические сообщения для подписи и шифрования данных с поддержкой пост-квантовых алгоритмов.

    habr.com/ru/articles/923810/

    #c #go #python #keks #asn1 #x509 #openssl #криптография #pqc #hpke #pgp #cms

    #c #go #python #keks #asn1 #x509