#soylent | Logs for 2025-12-04
« return
[01:00:12] -!- bender has quit [Remote host closed the connection]
[01:00:21] -!- bender [bender!bot@Soylent/Bot/Bender] has joined #soylent
[01:01:25] -!- Loggie [Loggie!Loggie@Soylent/BotArmy] has joined #soylent
[03:12:21] <kolie2> I went to the DC
[03:12:46] <kolie2> The RAID controller sees the SSD has "unconfigured good"
[03:32:15] <chromas> did it have a power burp and disconnect the SSD for a bit so it decided it was uninitialized?
[03:41:40] <kolie2> idk tbh.
[05:02:25] <kolie2> Drive isn't reporting any errors and imported fine.
[10:05:46] <AlwaysNever> pain coming our way is tsunami format: https://cybersecuritynews.com
[10:05:48] <systemd> ^ �03Let’s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days�
[10:05:49] <AlwaysNever> =sub https://cybersecuritynews.com
[10:05:50] <systemd> ✓ Sub-ccess! "�03Let’s Encrypt to Reduce Certificate Validity From 90 Days to 45 Days�" (15p) -> https://soylentnews.org
[10:07:22] <AlwaysNever> the problem with SSD is they don't make clicking noises of death
[10:29:42] <chromas> why even 45 days? How about just every time someone hits up your page they also ping the CA directly to make sure you're legit
[10:50:07] <ted-ious> That way the ca can shut down your website immediately if you publish something that's not approved.
[11:37:56] <AlwaysNever> CA business is global scam
[11:38:48] <janrinok> already queued for release this weekend.
[12:28:28] -!- c0lo [c0lo!~c0lo@124.190.hn.tt] has joined #soylent
[12:33:03] <c0lo> =sub https://www.dw.com https://www.popularmechanics.com +https://en.wikipedia.org/wiki/Wendelstein_7-X
[12:33:09] <systemd> ✓ Sub-ccess! "�03Germany Bets Billions on Nuclear Fusion for Energy Future – DW – 10/29/2025�" (121p) -> https://soylentnews.org
[13:03:35] -!- c0lo has quit [Quit: Client closed]
[13:14:23] <Ingar> buy uranium stock TODAY
[13:50:17] <fab23> ted-ious: that was the case with OCSP checking (but some man-in-the-middle could prevent that anya), but Let's Encrypt has turned it off now and only supports CRL
[13:51:07] <fab23> ted-ious: the thing with OCSP was, that the browser leaked to the CA which website you are visting, could be prevented with OCSP Stapling on the Server, but not many did.
[13:52:17] <fab23> s/anya/anyway/ .oO( something swallowd some letters )
[14:48:04] <kolie2> the CA's already get pinged every time for CRL/OCSP.
[14:49:24] <kolie2> its a lot of back and forth so yea imguess LE doesnt want all the traffic
[14:50:35] <kolie2> fab23, I think both leak to the CA what you are visitng, OCSP itself was unencrypted.
[14:58:27] <fab23> kolie2: yes, but for CRL the CA does not know which site you are visting, you are asking just for the list of all revoked certificates
[14:59:09] <fab23> kolie2: OCSP (and CRL as well) can not be with HTTPS because you would have the chicken and egg problem
[15:00:14] <fab23> OCSP is a signed answer, and as well the CRL is.
[16:04:39] <chromas> Generate cert; place pubic key into DNS record; all problems solved for good, forever, no exceptions
[16:33:23] <AlwaysNever> chromas: that solution would destroy the CA racket
[16:33:40] <AlwaysNever> there is money to be made, and IT WILL be made
[16:34:39] <AlwaysNever> also, the CA business allows for CIA/China/KGB to impersonate websites via "ductile" CAs
[17:28:07] <fab23> chromas: TLSA DNS entry, standards would exist, but not sure if clients (browsers, curl, wget, aria, axel and friends) are supporting it.
[17:28:48] <chromas> No reason they couldn't though
[17:29:29] <fab23> TLSA does imply that the DNS zone is DNSSEC signed, I think
[18:55:06] <kolie2> Short notice on this one so my bad, doing switch replacement 12/06/2025 from 0800 UTC to 1400 UTC. I'd expect connectivity to likely be affected for 2-3 hrs.
[18:55:49] <kolie2> fab23, yea crl is the revocation list from them. fun stuff.
[18:56:02] <kolie2> operated some larger cas for some time, don't miss it.
[18:59:23] <kolie2> I wonder if browsers will ever accept TLSA+Self-signed certs as valid.
[18:59:48] <kolie2> LE basically follows the same path, accept dns control as authorized for cert
[19:00:07] <kolie2> TLSA becomes essentially the "dns control" and the cert matching on the web server ties the two together.
[19:00:18] <kolie2> Slight modifications needed but thats the idea.
[19:00:33] <kolie2> I guess it depends on your dns setup and stuff.
[19:02:47] <kolie2> DNSSEC+Dane is inheritly secure off the top of my head, so assuming TLSA is good, then yea, a TLSA approved self signed cert should be just as good as anything else. It does tie the domain / dns. The CA independently says this cert is valid from this entity, but it seems like LE has the same approval criteria for issue as this would basically assert.
[21:45:04] -!- Deucalion has quit [Ping timeout: 272 seconds]
[21:45:30] -!- Deucalion [Deucalion!~Fluff@Soylent/Staff/IRC/juggs] has joined #soylent
[21:45:30] -!- mode/#soylent [+v Deucalion] by Imogen
[22:34:41] <chromas> Yep. No legitimate reason for browsers to not support it but they're too busy integrating LLMs and shutting down services people like
[23:22:54] <kolie2> I mean I thought about it a little more.
[23:23:03] <kolie2> You are trading one cabal for the other.
[23:23:25] <kolie2> The CA/Browser Forum ( DigiCert, LE, etc. ) is where we have a bit of trust currently in the current model.
[23:23:40] <kolie2> If a CA were to go rogue, then we can just distrust that CA ( the root ).
[23:23:52] <kolie2> With DANE we'd be shifting that to the DNS Reg / Gov.
[23:23:56] <kolie2> site.cn is run by the chiens.
[23:24:04] <kolie2> site.com, verisign/usgovt.
[23:24:34] <kolie2> I'm guessing the browser duders think its easier to audit and punish the CA's than it is soverign nations or tld registries.
[23:28:09] <kolie2> Looking at the specs to, it looks like, perhaps naively but it would be there somewhat, is all the lookups to do a cold DANE verification.
[23:29:04] <kolie2> root key, .com key, website key lookup on the chain, and the keys/sigs ( dnskey, ds, rrsig ).
[23:33:13] <chromas> But if DNS goes rogue then the certs won't work anyhow
[23:33:40] <chromas> You'll have to use an IP or something and the browser will cry about name mismatches
[23:33:54] <kolie2> DOS vs Malicious interference.
[23:37:24] <chromas> Isn't one a subset of the other?
[23:38:59] <chromas> Plus you could still have CAs, but we need something less retarded than generating a new cert every three hours just because browsers are self-signed-certophobic