#soylent | Logs for 2025-04-16
« return
[00:34:50] <c0lo> https://www.sciencenews.org
[00:34:53] <systemd> ^ �03Some tropical trees act as lightning rods to fend off rivals�
[00:35:32] <c0lo> =sub https://www.sciencenews.org +https://nph.onlinelibrary.wiley.com/doi/epdf/10.1111/nph.70062
[00:35:34] <systemd> ✓ Sub-ccess! "�03Some Tropical Trees Act as Lightning Rods to Fend Off Rivals�" (12p) -> https://soylentnews.org
[09:05:03] -!- drussell [drussell!~drussell@a4627691kd3g1a0z4.wk.shawcable.net] has joined #soylent
[09:08:03] -!- lld has quit [Quit: Lost terminal]
[09:36:28] -!- lld [lld!~lld@llvm.link.editor] has joined #soylent
[11:10:32] <chromas> =yt community hah gay
[11:10:32] <systemd> https://youtube.com - Full Length Of Ha GAY!!! (17; 13,170,813 views; 👍87,477)
[12:34:11] -!- jman has quit [Quit: WeeChat 4.6.0]
[15:40:26] <c0lo> https://www.youtube.com
[15:40:28] <systemd> ^ �03What’s the Gаy Fanfiction Problem!?�
[15:54:30] -!- lld has quit [Quit: leaving]
[16:05:42] -!- lld [lld!~lld@llvm.link.editor] has joined #soylent
[17:39:10] -!- AlwaysNever [AlwaysNever!~donaldo@093.02.7.595.dynamic.jazztel.es] has joined #soylent
[17:39:16] <AlwaysNever> hi there!
[17:39:34] <AlwaysNever> I wanted to share this story: https://www.bleepingcomputer.com
[17:39:34] <systemd> ^ �03SSL/TLS certificate lifespans reduced to 47 days by 2029�
[17:39:51] <AlwaysNever> SSL certificates to have a lifespan of 47 by 2029
[17:39:59] <AlwaysNever> pure destilled pain
[17:40:46] <kolie2> The CA/Browser gods unanimously voted for it.
[17:41:33] <kolie2> I imagine there will be longer validation CA's out there still.
[17:42:38] <kolie2> Certificate Issuers
[17:42:38] <kolie2> 30 votes in total:
[17:42:38] <kolie2> * 25 voting YES: Amazon, Asseco Data Systems SA (Certum), Buypass AS, Certigna (DHIMYOTIS), Certinomis, DigiCert, Disig, D-TRUST, eMudhra, Fastly, GlobalSign, GoDaddy, HARICA, iTrusChina, Izenpe, NAVER Cloud Trust Services, OISTE Foundation, Sectigo, SHECA, SSL.com, SwissSign, Telia Company, TrustAsia, VikingCloud, Visa
[17:42:38] <kolie2> * 0 voting NO:
[17:42:38] <kolie2> * 5 ABSTAIN: Entrust, IdenTrust, Japan Registry Services, SECOM Trust Systems, TWCA
[17:42:40] <kolie2> Certificate Consumers
[17:42:42] <kolie2> 4 votes in total:
[17:42:44] <kolie2> * 4 voting YES: Apple, Google, Microsoft, Mozilla
[17:42:46] <kolie2> * 0 voting NO:
[17:42:48] <kolie2> * 0 ABSTAIN:
[17:47:00] <AlwaysNever> Ahead to Hell by unanimous vote we go!
[17:48:05] <AlwaysNever> Now imagine if Let's Encrypt finally gets defunded by Trump...
[17:49:18] <AlwaysNever> they want to sell "automated SSL renovation" as a add-on, paywalled, extra service
[18:11:41] <chromas> LE gets money from elsewhere beside the government and also there are other free cert providers
[18:13:55] <chromas> Still, we should move to having cert keys hosted by dns. CAs are a scam
[18:28:39] <fab23> that would be DANE / TLSA
[18:30:08] <fab23> had it in my zones, as long as I had commercial certificates, when I switch to LE many years ago, I have removed it, because you need to have an overlap so it does make the request and deploying of certificates more complicated.
[18:31:09] <chromas> Just automate it :D
[18:32:29] <fab23> chromas: the thing is you need to request new cert, then create the DNS entries, wait until TTL is over until you can deploy the new certificates. But with muliple services / hostnames in DNS using the certi, it is not easy to update dns automagically
[18:33:21] <fab23> So far I have not checked which clients now already are supporting it, back then it was like none.
[18:33:23] <chromas> If you're generating them yourself, you don't have to make the certs only last 25 days or whatever. Make it last a year or two
[18:33:42] <chromas> Probably still none, which is a problem
[18:33:55] <fab23> but that depends that most used clients are supporting it, which is so far not yet the case :(
[18:35:47] <chromas> There's no reason for that. All mail servers of any importance support DKIM and whatnot. No reason the only two browsers there are can't support the web version of it
[18:36:47] <fab23> Everyone can donate to LE, I do: https://letsencrypt.org
[18:36:47] <systemd> ^ �03Donate�
[18:38:19] <ted-ious> Does all this just mean giving even more trust to letsencrypt or whatever replaces it?
[18:38:57] <chromas> In a couple years they'll h ave us renewing certs every three hours
[18:39:11] <fab23> 🙀
[18:39:11] <ted-ious> I thought dnssec was supposed to fix everything but all it ended up doing was letting icann take power from the ca's and keep it for itself right?
[18:39:32] <chromas> dnssec isn't related as far as I know
[18:39:53] <fab23> it is needed for DANE / TLSA
[18:40:04] <chromas> true
[18:40:05] <chromas> anyhow there are other free CAs like zerossl
[18:41:52] <chromas> this is all Oopen Source™'s fault
[18:42:18] <fab23> you may even be able to do ACME with other CAs for money.
[18:42:40] <chromas> as far as I've seen, the ones that support acme give those certs out for free
[18:43:00] <chromas> though you can also still buy regular longer-lasting certs for free
[18:43:05] <chromas> for money
[18:43:07] <chromas> derp
[18:43:18] <fab23> I am happy to dontate to LE, they allowed me to have SSL for more then just the two domains (wildcard) I had in the past to buy.
[18:45:01] <ted-ious> I don't like that so much of the internet relies on a single source of failure that gets its funding from the american government and some ngo's that probably also get their funding from the american government.
[18:45:32] <fab23> that is why many things collect donations, do you part :)
[18:45:55] <fab23> reminds me that I should renew my SN subscription as well, just waiting for Stripe to be fixed :)
[18:46:33] <ted-ious> But donating to corrupt organizations only makes them worse.
[18:47:03] <chromas> Do we know LE specifically is corrupt?
[18:47:18] <ted-ious> You might as well give money to cloudflare in the hope that they stop annoying you with captcha's.
[18:48:16] <ted-ious> chromas: It's a huge security vulnerability in half of the internet and it's funded by our government so what do you think? :)
[18:48:35] <fab23> or Google for YouTube to maybe get rid of the ads, but I did choose to avoid YT as much as possible.
[18:49:13] <chromas> They get some amount of government money, but as fab23 mentioned, they're not 100% government-funded. People just like to pretend it is so they have yet another inject Trump into the conversation
[18:49:56] <fab23> many organisations also donate LE, see https://www.abetterinternet.org
[18:49:57] <systemd> ^ �03Sponsors and Donors�
[18:50:33] <chromas> So the wailing and gnashing of teeth over possible G defunding is of course all for show
[18:53:04] <ted-ious> Many of those sponsors make me trust them much less.
[18:53:22] <fab23> sorry, I am not listed there :(
[18:53:53] <chromas> lol, mozilla and google both sponsors. may as well just say google twice
[18:54:45] <ted-ious> Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon,
[18:54:46] <fab23> and EFF as well is based on donation itself
[18:55:22] <chromas> But damn they have a lot of sponsors. Even more makes me fine with the federal defunding of them. How many resources can it possibly take to run openssl-as-a-service?
[18:56:37] <ted-ious> Spyware is very resource intensive? :)
[18:57:23] <fab23> the scale is just insane what they run, that costs money. they regularly blog about what they are doing: https://letsencrypt.org
[18:57:24] <systemd> ^ �03Blog�
[18:57:40] <ted-ious> I remember reading that somebody built a twitter clone that could run on one server if it didn't have to do anything but store and serve tweets.
[18:58:08] <ted-ious> All the algorithm stuff is what takes so many resources.
[18:58:37] <ted-ious> Complicated shadow banning is expensive. :)
[18:58:40] <chromas> yeah on their Projects menu they also have Prossimo and Divvi Up. Two things nobody's ever heard of. It appears they're also sponsoring a bunch of rustification projects
[18:59:43] <fab23> I have first hand experience in running a commercial CA, even the one which was small, we would never have been able to run on LE scale at all.
[18:59:45] <ted-ious> Why is https://alpha-omega.dev Copyright © 2023 The Linux Foundation®. All rights reserved.
[18:59:46] <systemd> ^ �03Package typosquatting detection in {Rust,Dust,Trust,Rut} – Alpha Omega�
[19:00:20] <ted-ious> All these org's fund each other and hide what's really going on.
[19:00:33] <chromas> fab23: is it because you didn't have enough servers?
[19:01:05] <ted-ious> That's not an accident it's standard practice for corruption especially when it comes to certain politics.
[19:01:25] <fab23> even the small CA had a huge database and we run into limits back at the time.
[19:01:48] <chromas> we only need muh free CAs because the only two browsers that exist decided self-signed is Big Evil™ and needs giant alarm bells
[19:02:00] <ted-ious> fab23: What was in the database that made it huge?
[19:02:12] <ted-ious> Copies of all the cert's?
[19:02:45] <fab23> ted-ious: you had to store each signed certificate, and we also had CRLs in it and served OCSP
[19:03:10] <chromas> are they like 500MB each?
[19:03:44] <ted-ious> Why couldn't certs be stored on the filesystem?
[19:03:47] <fab23> back then the DB was running on a 32bit Linux, and so more then 4 GB mysqld was not possible.
[19:04:57] <chromas> Maybe they got excited about TerraServer and decided to stuff everything into the db
[19:04:59] <fab23> I don't remember the numbers, but everything needs to be in a HA setup, and with separation of read / write, and of course all the access only with 4 eyes. stuff is too complicated. :)
[19:07:39] <fab23> It would be interesting to see all the technical inner workings of LE, and all their operations overhead needed to be certified as CA from the browsers.
[19:08:25] <ted-ious> Why would the browsers need to know how the data was stored?
[19:09:18] <fab23> ted-ious: not the browser per se, but the CA/B Forum does make the guidelines and the CAs have to follow to be allowed in the Root Stores of the Browsers (and OSs).
[19:09:20] <AlwaysNever> CA have to pass annual audits, auditor have their checklists, they want things to match their checklists
[19:09:31] <fab23> yes, that!
[19:09:57] <chromas> Does that take millions of dollars?
[19:10:28] <ted-ious> Are the people on the ca/b forum the same people who make critical security vulnerabilities in their browsers every week? :)
[19:11:19] <fab23> the CA/B Forum consists of someone from each CA, Browser and OS
[19:12:17] <fab23> some insights into running LE: https://letsencrypt.org
[19:12:18] <systemd> ^ �03Introducing Sunlight, a CT implementation built for scalability, ease of operation, and reduced cost�
[19:13:32] <AlwaysNever> The webservers I manage, I will probably turn to plain HTTP and place a reverse proxy server before them to do the HTTPS and the ACME automation
[19:13:56] <AlwaysNever> less security, they are forcing me to do it
[19:14:05] <fab23> why?
[19:14:26] <AlwaysNever> I don't want to install and manage 50 ACME bots
[19:14:54] <fab23> AlwaysNever: I can be done differntly, as I do, see https://lobste.rs
[19:14:55] <systemd> ^ �03Mandatory short duration TLS certificates are probably coming soon ( https://lobste.rs )�
[19:15:02] <chromas> Just do one for all your certs, then have your other servers pull their certs from that one box
[19:16:14] <AlwaysNever> I check that, but I will do whatever is the easiest
[19:16:57] <fab23> AlwaysNever: in the end everything is easy to do, but yes it take some work :)
[19:17:22] <AlwaysNever> I don't like the idea of a NFS share being a single point of failure
[19:17:27] <fab23> and some experience in running multiple services :)
[19:17:45] <AlwaysNever> also, I don't like NFS itself
[19:17:59] <chromas> don't use nfs. there's no security. use sshfs or something
[19:17:59] <fab23> I don't have an NFS share for that, the deploy scripts copies with scp and does run remove commands through ssh to reload daemons
[19:18:14] <chromas> I forgot about scp
[19:18:19] <fab23> s/remove/remote/
[19:18:58] <fab23> I should learn git to be able to properly publish the stuff I have built.
[19:19:09] <AlwaysNever> too fragile, in my opinion, I prefer the brutalist approach a cattle herder, instead of the minute approach of pet indulger
[19:19:35] <chromas> Don't worry; LE's got you covered. It's time for 45-minute certs now :D
[19:19:41] <fab23> I have not touched it since a long time, it just keeps running.
[19:22:00] <AlwaysNever> Also, I need something everyone in the team can wrap his head around, not something that only I can understand
[19:22:30] <AlwaysNever> so everything to HTTP and a reverse web proxy to do the HTTS and the ACME automation
[19:28:53] <fab23> you will see other issues with that :)
[19:29:43] <chromas> Time to modernize. learn2ansible boyeeeee
[19:30:35] <fab23> e.g. if webservers are behind a proxy on different systems, then the web application may see the request origin from the proxy instead of the real client
[19:30:54] <janrinok> AlwaysNever, look at the caddy server. It does it all automatically - even the configuration for certificates.
[19:31:23] <fab23> there are options to forward the real origin IP through the proxy, but the webserver / application does also need to support it
[19:32:08] <fab23> and then e.g. blocking clients based on the source IP gets difficult, e.g. with fail2ban and e.g. for too many failed logins in one application
[19:32:37] <fab23> the things to wrap your head around will just move to other parts of the infra. :)
[19:33:09] <fab23> janrinok: Apache can also do ACME, and could be used as a reverse proxy
[19:34:41] <fab23> but there are other reasons I am requesting wildcard certificates, which do need the DNS challange and can not be done with the webserver / reverse proxy.
[22:57:08] -!- jje has quit [Quit: ZNC - https://znc.in]
[22:57:49] -!- jje [jje!jje@ddjffrbpjin.info] has joined #soylent
[23:27:29] <kolie2> halibut is gaming the system again
[23:28:03] -!- drussell has quit [Quit: Leaving]
[23:29:49] <halibut> I concede to being nuts. I claim, though, that I am not beating up on the bot. You might notice that MrPlow's death count is not increasing.
[23:30:36] <halibut> In fact, you might notice that I have been going out of my way to avoid killing MrPlow (although I have messed up a few times).
[23:30:43] <kolie2> lol
[23:31:58] <halibut> Turns out MrPlow temporarily dies if you fite ~200 opponents in rapid succession, so I try to either fite more slowly, or keep the number under 200.
[23:32:06] <halibut> You know ... moderation.