Oh hey, repressive regimes worldwide! Here's how to cut off all TLS connections attempting to connect via ECH, it's quite easy! Just block TLS extension 0xfd00, 0xfe0d and 0xffee, then you're good to go.
Don't hesitate, help impair the current ECH spec so it can become better!

#Cloudflare #TLS #ECH #censorship #anticensorship

Mike Harrison
2 days ago

Just a shout out to the EFF and StartSSL project. Used "" to create a wildcard cert for a valid domain without a website (used for PBX's) using the DNS method. Automation in progress. Ya'll Rock! Donation on the way! #EFF #StartSSL #SSL #TLS #Asterisk

3 days ago

@brokenix Heads-up to all: The IETF has proposed implicit TLS (Port 465) as preferred over STARTTLS solutions. The previous confusion around Port 465 was cleared.

Wherever possible I use Port 465 over 587. Only one mail server I use doesn't offer implicit TLS, I have to contact them soon 😀

#smtp #tls #starttls

Jan Schaumann
4 days ago

Yaaaaay, we have a new (old) branded #TLS vulnerability, name, logo and all: "The Marvin Attack"

"In this paper we show that Bleichenbacher-style attacks on RSA decryption are not only still possible, but also that vulnerable implementations are common. We have successfully attacked multiple implementations using only timing of decryption operation and shown that many others are vulnerable."

Jakub Jirutka
5 days ago

#MariaDB devs came up with a clever idea: client and server can use the user/database password as a shared secret for the client to verify the server (self-signed) #TLS #certificate.

Server sends `SHA256("password hash", scramble, "certificate fingerprint")` to the client, which computes the same and if it recieved the correct certificate from the server and knows the correct password, both hashes must match.

Anthony Accioly
6 days ago

Adventures in Reverse-Proxy Land: I've just migrated all my containers from Traefik to Nginx. Configuring auto-renewable Let's Encrypt certificates (including support for wildcard certs) was tricky. OCSP stapling? Even trickier. If anyone needs a recipe, here you go:

Was it worth it? Definitely! Everything is now running with higher throughput, lower latency, and slightly lower CPU usage.

#Nginx #ReverseProxy #TLS #LetsEncrypt

Bob the Traveler
1 week ago

The first public version of the Mozilla Firefox web browser was released OTD in 2002, it was called "Phoenix 0.1" #HTML5 #TLS

Mike Harrison
1 week ago

Any recommendations for a long expiry date wildcard asterisk compatible certificate for asterisk / TLS / SSL ? I've been using StartSSL/LetsEncrypt for webish things so long I am not familiar with the other providers/methods. Considered abusing "" monthly, but would like a cert that lasts a year or more for deploying to many systems that may not get updates. Self-Signed Cert is working well, but requires SIP clients to accept/trust it. #Asterisk #TLS #Certificate

Bob the Traveler
1 week ago

The first public version of the Mozilla Firefox web browser was released OTD in 2002, it was called "Phoenix 0.1" #HTML5 #TLS

Royce Williams
1 week ago

Whenever someone insists that their website doesn't need TLS / HTTPS, send them this.

See the "visited certain websites not using HTTPS" part?

Unencrypted websites are an essential part of some exploitation chains, due to an attack method called "network injection". If the attacker can get between your website and a vulnerable visitor ... game over.

If your site is worth visiting ... aren't its visitors worth protecting?

Full original article:

Edit: I'm also looking at you, package management frameworks that still use HTTP "because signing":

#https #tls

Text from Citizen Lab article "Predator in the Wires", in part, with "visited certain websites not using HTTPS" highlighted:

Relevant section:

"In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware."
Jörg Kastning
2 weeks ago

Gestern erreichte mich eine E-Mail von einem ehemaligen Kollegen. Dieser wollte mir unter anderem mitteilen, dass mein TLS/SSL-Kochbuch von 2016 immer noch hoch geschätzt und gelobt wird. Darüber habe ich mich sehr gefreut. 😀

Artikel zum TLS/SSL-Kochbuch:

#tls #ssl #certificate #ca #csr #hsts #hpkp #pinning

2 weeks ago

Ich habe eine HTTPs Webseite, die über den Browser einwandfrei funktioniert. Wenn ich die Seite mit curl abfrage, dann bekomme ich unregelmäßig aber häufig folgende Fehlermeldung:

curl: (56) Recv failure: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt.

Woran könnte es liegen?

#netzwerk #informatik #sysadmin #admin #curl #https #tls

2 weeks ago

So, heute fliege ich nach langer Zeit mal wieder die Strecke
#XFW 🛫 #TLS bzw #EDHI 🛫 #LFBO
Bedient wird das ganze von #HahnAir operated by #Volotea.

Reading through RFC 8446 and want to try to read a referenced PDF (Limits on Authenticated Encryption Use in TLS).

Original site broken due to misconfigured MySQL. Cannot find any mirrors aside from a scribd upload.


#DigiPres #Security #TLS #Encryption

Neil Craig
2 weeks ago

One of our CDNs told us they want to remove support for a few TLS ciphersuites. Just spent ~30 mins collating our current supported ciphers & comparing that (using a CLI I wrote) to the same but minus the proposed removals...documented it all nicely.
tl;dr: It'll make zero difference AFAICS.
Nice to be able to simulate these sorts of changes without having to go configure a web server and run tests.
I should OSS the CLI app really. Saves a lot of time.
#InfoSec #WebDev #CDN #TLS

Anthony Accioly
2 weeks ago

The comment systems for all communities are back. Everything is now working over Cactus + Matrix. Due to popular demand, Discourse content topics are still being created, but Discourse replies will not be reflected in comments, nor vice-versa. I've also disabled plain HTTP access on all servers, enabled HSTS, and introduced 4096-bit DH parameters. This means that all servers are now scoring between A and A+ on SSL Labs server tests.


#Community #Comments #Security #TLS

Piers Lomax
2 weeks ago

As if Thames Water didn’t have enough troubles. They forgot to renew their TLS cert for account management and it expired a few hours ago 🤣

#tls #fail

2 weeks ago

Cool DEF CON 31 talk about automatic testing of TLS certificate validation: Software: #pentest #tls #mitm

Labeling systems like #SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, #Podman does not change the labels set by the OS.
By default #TLS verification is turned on when communicating to registries from Podman. If the registry does not require encryption the Podman commands such as build, commit, pull and push will fail unless TLS verification is turned off using the --tls-verify option. NOTE: It is not at all recommended to communicate with a registry and not use TLS verification.
rootless containers cannot #ping hosts
Since the administrator of the system set up your home directory to be noexec, you will not be allowed to execute containers from storage in your home directory. It is possible to work around this by manually specifying a container storage path that is not on a noexec mount. Simply copy the file /etc/containers/storage.conf to ~/.config/containers/ (creating the directory if necessary). Specify a graphroot directory which is not on a #noexec mount point and to which you have read/write privileges.

Conan the Sysadmin
3 weeks ago

Merely saying 'We speak a secret tongue' is not enough. One's wizards must speak the appropriate tongue, and speak it only in a most cautious fashion. #cybersecurity #TLS

3 weeks ago

Meanwhile, on DR Tech, our own Robert Lemos writes up the latest Microsoft and Google moves on TLS and what companies need to do to move forward: #DarkReading #TLS #Certificates

Conan the Sysadmin
3 weeks ago

By consulting the proper documents, one may speak a secure and secret tongue. #TLS #LetsEncrypt #OpenSource

3 weeks ago

@thurrott #Microsoft is on a roll with the housekeeping this month: #WordPad #Printer drivers #TLS #Troubleshooters Is this all in preparation for #Windows12

3 weeks ago

One of the big problems for the established Church: why did Christ give news of his resurrection to a mere woman, and not to an apostle, to a man?

#books #religion #Christianity #TLS

A Reader's Letter from the Times Literary Supplement, discussing the book "Mary Magdalene" by Philip Almond, and the question on why Christ gives his resurrection news to a woman rather than a man. The text reads:

Early to rise: There should be no "mystery" or "enigma" as to why the resurrected Christ showed himself first to a woman. Mary Magdalene got up early in the morning to provide a caring service, presumably unpaid; the apostles (male) did not.

From Maureen Street of Skipton in North Yorkshire.
3 weeks ago

Time to read the #TLS, and then off to bed with "Palatine: an Alternative History of the Caesars" by Peter Stothard.

I don't usually read two books about the same era one after the other, but that's the way the cookie crumbles this week.

New books ordered: expectations high.

#books #history #Romans #amreading

Conan the Sysadmin
3 weeks ago
3 weeks ago

Microsoft is FINALLY going to disable TLS 1.0 & TLS 1.1
it's been a long time coming, as TLS 1.2 has been around since 2008, and TLS 1.3 came out in 2018. Sadly older versions of MS office, Safari, and Turbotax may stil lbe using the outdated protocol and will not function properly after Microsoft disables it.

#Microsoft #Security #TLS #compatibility #windows11 📚
4 weeks ago

Microsoft is alerting users and system administrators that Windows will soon phase out support for older TLS specifications. TLS 1.0 and TLS 1.1 will be disabled in upcoming Windows releases. #microsoft #windows #tls

ADMIN magazine
4 weeks ago

Learn how to prepare for Google's proposal to shorten TLS certificate lifespans to 90 days #TLS #Google #certificate #security #governance #policy #automation

ADMIN Network & Security News
4 weeks ago

#Microsoft wird nun auch in Windows 11 die Unterstützung der veralteten Transport Layer Security (#TLS)-Versionen 1.0 und 1.1 abschalten. Jetzt warnt der Konzern Nutzer vor den bevorstehenden Änderungen.,138299.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

4 weeks ago

Existing versions of Windows 11, 22H2, 21H2, and Windows 10 will continue to support legacy TLS protocols until the 23H2 update and the release of Windows 12 next year.

#TLS #Microsoft #Windows

Christiane Peters
4 weeks ago

Microsoft deprecates #tls 1.0 and 1.1 in major products including SQL Server.

My takeaway from the #sha1 deprecation was that we only see global change on rolled out #cryptography when the likes of #microsoft and #google turn a security #threat into an availability issue.

I predict we’ll see the same here.

Sadly, #toybox doesn't like to build it's #wget with #SSL / #TLS due to a missing header file...

Terminal ourput: 
user@x230t:~/projects/os1337/build/toybox-0.8.10$ LDFLAGS=--static CROSS_COMPILE=i686-linux-musl-cross/bin/i686-linux-musl- make ARCH=x86 toybox
Compile toybox fatal error: tls.h: No such file or directory
   60 | #include <tls.h>
      |          ^~~~~~~
compilation terminated.
make: *** [Makefile:17: toybox] Error 1
Neil Craig
1 month ago

Does anyone know of a commonly used Chrome/ium extension which would set `expect-ct` on web pages?
We're getting several million deprecation reports on our web pages for `expect-ct` but we don't set it ourselves.
#WebDev #InfoSec #Security #ExpectCT #TLS

Whonix Anonymous OS
1 month ago

We are pleased to announce that Whonix and Kicksecure are utilizing website TLS with the highest available security options:

#tls #security #ssl

Mark Gardner ‍:sdf:
1 month ago

@Perl A tip from @philsplace for those having trouble connecting to #MariaDB using #Perl #DBI and an #SSL / #TLS connection:

2 months ago

I will admit, it has been a few years since I have used the term "idempotent". #tls

[ick] :hotboi:
2 months ago

Curious what everyone's take is on TLS decryption for increased network visibility. If you're a security professional working with a corporate network in 2023, how necessary (to you) is TLS decryption for traffic destined to the internet?

Do visibility gains outweigh management complexity? Or is it a relic of the past that has been replaced with better solutions?

#cybersecurity #tls #network #networking #decryption #monitoring #logging

2 months ago

Wenn man sich Vorträge anderer Leute anört, lernt man immer interessante Sachen. So zum Beispiel:

Wenn jemand #HTTPS verwendet, dann passiert die Verbindung zwischen #Browser und #ISP im Klartext. Erst ab dem Provider wird verschlüsselt.
Wenn man aber #TLS verwendet, ist alles viel besser. 🤯 🤡

Tom Jowitt
2 months ago

I find #govulncheck really useful, but it's hard to build into production CI flows when it demands fixes only available in release candidates.

I mean, we upgrade pretty often, but now I'm going to have to turn it off until 1.21 is released. This doesn't seem like a great security practice.

#golang #security #tls

A screenshot of govulncheck running in CI saying the only available fix is in crypto/tls@go1.21-rc4
Joel Bennett
2 months ago

Why isn't there already a Get-WebCertificate or something, for fetching the TLS certificate being used by a web server?

Well, my old version doesn't work in PowerShell 7, so I had to put this together for someone this week:

#PowerShell #SSL #TLS #Certificate #PS7 #ServerCertificateValidation

Bjarni |grep -i tech
2 months ago

That's this code:

The connection broker uses with-block to selectively monkey patch the socket library, so third party code would make outgoing #TLS and/or #Tor connections according to a configurable security policy.

Pretty cool! I have yet to port this to #moggie, but I will for sure.

The security researcher just grepped and skimmed, they missed the fact that not only did I solve the problem, I knocked that one out of the park.

I politely told them so. ;-) (3/3)

My usual amount of #openssl hate :blobcat_amused:​
Few weeks ago I had spam wave on my mail from my Zabbix, about high #cpu load. Firstly I shrugged it off as it is low resources VPS with too many services, I kind of expected this. One day I checked it for curiosity and found it was mainly openssl #ocsp process eating my resources. I restarted service, everything looked good.
Some time passed, yesterday I was doing random things on my server. Checked #htop without any particular reason and saw it again. This time I was more irritated and disabled service completely. I didn't use it on "production" anyway.
I am not sure if it was normal. Maybe openssl docs tell the truth and it is not a good way to run it long-term?
BTW what the hell am I doing with my life?!

#geek #nerd #admin #tls #selfhosted

Screenshot of htop running in black terminal. There is 1 CPU, 1 GB of RAM and almost 4 GB swap. CPU is 100% loaded. There are few random processes on visible top part of list, with openssl ocsp process on the top, using almost all resources.
2 months ago

Some agenda highlights from the upcoming SharkFest'23 EUROPE conference:

- #ChatGPT in #Wireshark (Megumi Takeshita)
- Real-world post-quantum #TLS (Peter Wu)
- Multicast & Broadcast Reconnaissance (Betty DuBois)
- It's Always #dns (Johannes Weber)

Join us in Brussels this fall, only one more week of early bird pricing!

Neil Craig
2 months ago

Earlier we were talking about DDOS & a colleague asked what TLS versions are used by the botnets these days...So I checked the most recent big-ish one we had :
**TLS Protocol Percentage**
TLSv1.3 55.77%
TLSv1.2 44.23%
TLSv1 0.00%
This was over something like 115M total requests.
So the answer is that the botnets have better TLS libs than our overall audience. Fun times.
#infoSec #webDev #TLS #DDOS

Neil Craig
2 months ago

I ran the numbers for yesterday on how many HTTPS requests to & did *not* include a TLS SNI header - by country. Highlights:
- Jordan is an outlier at > 17% non-SNI (3x any other)
- 90% (219) of countries have < 1% non-SNI
- 36% (88) of countries have 0 requests with no SNI
- H/T to Dominican Republic with ~800K requests, 100% of which *include* SNI
- DPRK (N. Korea) also had 0 non-SNI (but only 9 requests)
- UK has 0.06% non SNI (296M requests)
#TLS #webStats #infoSec

Several years ago everyone agreed that unencrypted data flow is dangerous and #internet as a whole should avoid it. #TLS spreaded everywhere. Now it is default and unencrypted traffic is marked as not secure.
(Sometimes I have to agree to 3-4 warning popups to log into some development service in internal network via http :blobcat_amused: )

I wonder when we finally agree the same about #MessagingApps and when we would understand #e2ee should be a standard. And messaging apps without #encryption should also have big red scary warnings to discourage people from using these. People should know before they send something what would be used against them in the future.

#security #privacy

Teri Radichel
3 months ago

Certificate Transparency Logs —What you need to know
ACM.247 Be aware of data exposed in Certificate Transparency Logs
by Teri Radichel | July 12, 2023
#cloud #security #dns #certificate #tls #aws #transparency #logs

3 months ago

Tailscale has a feature called Tailscale Funnel that kind of does the opposite of everything else Tailscale does? It exposes nodes directly to the Internet. And all the hostnames are published in CT, so I scanned it #appsec #nmap #tls #tailscale

Aral Balkan
3 months ago

By the way, if you want to test your TLS configuration for potential security issues and you don’t want to use a web site like SSL Labs, you can do so locally with a free and open cross-platform bash-based tool called

#tls #ssl #security #app #bash #web #dev

Aral Balkan
3 months ago

Small Web places made with Kitten will only support TLS 1.3 once I merge my current branch into main.

This increases the security of TLS and reduces the cipher suites to just three. Since all major modern browsers have supported TLS 1.3 for years now, there is no down side.

(Ironically, this does lower the SSL Labs rating of Small Web places made with Kitten from A+ to A but that’s because of a known issue in their test¹.)


#SmallWeb #Kitten #TLS #security

Aral Balkan
3 months ago

FML, something that’s changed between Node 12.16.2 and 18.16.0 has made the OCSP stapling library I’m using¹ 1,000× slower (~4ms vs ~4s per request).

At least I know where the issue is… Tomorrow, I dig into the library to try and narrow it down further.

(The network graph in Firefox was useful as it showed that the problem was with the TLS Setup. And 0x² and its flame graphs helped me narrow it down further.)


#Kitten #TLS #OCSP #NodeJS #dev

Flame graph showing that the getOSCPURI function is spending >75% of the time on the stack.
Kenneth J. Jaeger
3 months ago

@fosstodon @kev @mike: I don't know if you are aware of this already or not, but the #Fosstodon servers all get a B rating from #Qualys #SSLLabs SSL Test here: Most other Mastodon servers I have checked get an A+ or at least an A. It looks like you should consider disabling #TLS 1.0 and 1.1 protocols to get a better rating. #InfoSec #Security

Mike Kuketz 🛡
3 months ago

Das BSI Testwerkzeug zur Durchführung von TLS-Konformitätstests ist als »TLS Checklist Inspector« online verfügbar. (Hosting/Betrieb achelos) 👇

#tls #ssl #security #sicherheit #bsi

Since Google has announced the intention to reduce the maximum validation time for TLS-certificates frrom 398 days to 90 - I have spent the entire day testing out acme2certifier - basically a self-hosted ACME-server that can be used to act as a middleware/proxy against Lets Encrypt, ZeroSSL, Digicert and more - or even your own CA.

Turns out that it is well documented and quite easy to configure and set up :)

#linux #acme #letsencrypt #tls

Hoy fue día de mejorar seguridad y rendimiento para la infraestructura de @impulsait incluyendo

#DNSSEC y conectividad #IPv6 para los servidores de nombre y dominio
✅ Mejoras en conexiones seguras TLS/SSL: Registro CAA, OCSP stapling, HSTS Preloading
✅ Actualización de proxy web que sirve a Debian 12

💪 Hall of Fame @internet_nl

🎉 A+ en #SSL Server Test:

#MastoAdmin #FediAdmin #TLS

"Accept the risk and continue" would be a good band name. #tls #devsecops

4 months ago

#Development #Demos
TLS byte by byte · Watch a web page performing a live, annotated https request for itself

#Security #Cryptography #Protocol #WebDevelopment #WebDev #HTTPS #SSL #TLS

Neil Craig
5 months ago

Yesterday I added a graph to track TLS ciphersuite usage over time & immediately spotted an anomaly.
In mid-Feb, on our commercial CDN, CHACHA usage dropped from ~10-12% to ~0.5% & stayed there. The same did *not* happen on our own CDN so it seemed unlikely to be client behaviour.
Raised it with the CDN vendor & they tied it to a release which accidentally changed the behaviour to pref CHACHA for clients for whom CHACHA is top pref.
Having good data is 💯
#TLS #CDN #Grafana #webStats

Screenshot of a Grafana graph showing the trend as described
Neil Craig
5 months ago

Since I couldn't find it in the Certbot docs, I did a bit of experimentation and it turns out that you can list multiple DNS TXT records for `_acme-challenge.<domain>` and issuance will succeed if at least one of those TXT records is the correct token (I ended up with 5 in total).
Our potential use case for this is issuing multiple certs for the same domain/hostname from different CAs (or CA accounts).
Hopefully that'll help someone at some point.
#ACME #CertBot #TLS #infoSec #webDev

Neil Craig
5 months ago

A colleague just reminded me that OpenSSL 1.1.1 is going to be End of Life'd in Sept 2023, less than 6 months from now!
If you need to upgrade systems to v3 (or away from OpenSSL - always an option if you feel like it) then best crank that handle and get it done!

#OpenSSL #TLS #infoSec #webDev #webDevelopment

Neil Craig
5 months ago

Having a first look at Fastly's "Certainly" Certificate Authority today. Might save someone a job: You can choose from 2 trust chains, Fastly's own whose root is very modern (2021) but offers ECDSA all the way (or RSA) or a via a GoDaddy cross-signed inter & chain whose root is 2009 but whose root cert is RSA (prob doesn't matter). Confusingly, AWS now hosts the GoDaddy root (did they buy GoDaddy?).

#TLS #CA #CDN #infoSec #webDev

GoDaddy root:

Aral Balkan
5 months ago

Right, well, first the good news: It doesn’t look like anything has changed in how Chrom(ium) handles certificates installed in the system trust store.

Now the bad news: I have no idea why the certificate authority that was previously trusted on my main development machine is now showing up as untrusted. Could a Fedora Silverblue update have broken it? Will keep looking into it.


#Kitten #AutoEncryptLocalhost #SmallWeb #Chrome #Chromium #tls #web #dev

Aral Balkan
5 months ago

Great, it looks like whatever they changed in Chrome no longer trusts Kitten’s¹ local certificate authority (installed and trusted by the system trust store, as you’d do in a *spit* enterprise).

Applies to previously trusted and working certificates too.

(The directly related module is Auto Encrypt Localhost²)

Going to look into it today and see if I can’t find a workaround.



#web #tls #Chrome #Kitten #AutoEncryptLocalhost #SmallWeb

Let's Encrypt
6 months ago

Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!

#opensource #TLS #PKI #infosec

heise online
6 months ago


Google möchte Laufzeiten für TLS-Zertifikate verkürzen

Zertifikate für Web-Server sollen statt wie bisher ein Jahr nur noch maximal 90 Tage gültig sein, fordert Google – das hätte heftige Konsequenzen.

#Browser #TLS #Zertifikate

Is there no-one on the Chromium team who knows about #OCSP stapling? Or does Google not like having to keep OCSP responses for stapling in their servers?

They say they want to reduce #TLS certificate lifetimes because there's no good revocation mechanism, and all the problems they mention could be solved by strictly requiring stapling with the TLS feature extension in certificates (using RFC 7633). Stapling doesn't place a huge burden on CAs (because only the server using a certificate has to update its cached response now and then), it doesn't expose client behavior to CAs (because clients only need to talk to servers they want to talk to), and if stapling is required by the certificate it fails closed in case of revocation as soon as the last positive response expires (currently CAs usually issue responses with a lifetime of about a week, but that could be reduced easily).

Shorter certificate lifetimes aren't necessarily a bad thing, but the reasoning doesn't make sense.

7 months ago

We've added much more detailed information on cellular-based A-GNSS (Assisted Global Navigation Satellite System) to our FAQ:

It explains the difference between control plane vs. user plane A-GNSS, differences between the devices and what we improve.

#grapheneos #privacy #security #geolocation #gnss #agnss #supl #qualcomm #snapdragon #broadcom #tls

Aral Balkan
8 months ago

Just released Auto Encrypt Localhost¹ version 8.3.2 & @small-tech/https² version 5.1.1.

These releases fix an issue where the local Certificate Authority (CA) wasn’t being added to Node’s trust store on every run.

¹ Automatically creates locally-trusted TLS certs in 100% JavaScript (does not require certutil; has CLI).

² @small-tech/https is a batteries-included version of the #NodeJS #https module (auto Let’s Encrypt + local #TLS certs).


Aral Balkan
8 months ago

Just released syswide-cas version 6.0.1:

syswide-cas enables node to use system-wide Certificate Authorities (CAs) in conjunction with the bundled root CAs.

Note that the package this is a fork of ( is by a defunct startup, 404s on its source link, and is no longer maintained. I’ll be maintaining this fork for the foreseeable future.

The repository has also just moved to @Codeberg:

#nodeJS #TLS #certificates #dev

Neil Craig
8 months ago

I'm a bit surprised there's no BigQuery public dataset for Certificate Transparency Logs.
#bigquery #ctlogs #tls #security #googlecloud

8 months ago

@lofh @foone Ugh. Well I guess that's just how we have to make certs now.

I'd love to know the rationale behind requiring the same information in the SAN that's in the CN field. AFAIK it's not signed or protected any differently. It seems more like a bureaucratic requirement than a technology one.
#TLS #Security #Encryption #Google

Aral Balkan
8 months ago

Just released version 5.0.0 of @small-tech/https: A batteries-included version of the standard Node.js https module.

Replace https with @small-tech/https to get:

- Automatically-provisioned trusted local development TLS certificates.
- Automatically-provisioned Let’s Encrypt TLS certificates.
- Automatic HTTP to HTTPS forwarding.

Version 5 includes this week’s new Auto Encrypt Localhost version 8 and is 100% JavaScript.

#SmallWeb #SmallTech #https #SSL #TLS #NodeJS

Aral Balkan
8 months ago

Just released version 8.2.0 of Auto-Encrypt Localhost

All status changes are now communicated via events instead of console messages.

Think I’m pretty much done with v8 now.

Next: update https ( to use it and then update Kitten ( to use the updated https. (Which should make Kitten cross-platform, including on ARM.)

#SmallWeb #SmallTech #AutoEncryptLocalhost #cli #TLS #SSL #https #localhost #NodeJS #web #dev

Aral Balkan
8 months ago

Auto-Encrypt Localhost version 8.1.0 released

Now with 100% more Command-Line Interface (CLI).

To create your local development certificates using the CLI:

npm install --global @small-tech/auto-encrypt-localhost

That’s it!

Enjoy :awesome:

#SmallWeb #SmallTech #AutoEncryptLocalhost #cli #TLS #SSL #https #localhost #NodeJS #web #dev

Aral Balkan
8 months ago

Auto-Encrypt Localhost v.8 released (complete rewrite)

There’s now a 100% JavaScript (no native dependencies) Node.js tool for creating locally-trusted development certificates on Linux, macOS, and Windows.

Heck, it’ll even create your https server for you, if you like, and serve the CA certificate at <your ip>/.ca and even forward HTTP traffic to HTTPS.

(I’m going to whip up a separate command-line client next.)


#SmallWeb #SmallTech #TLS #NodeJS #web #dev