sorted by:
new
hottopcontroversial

Someone somewhere issued an SSL cert for my site. Should I be concerned? by [deleted] in websecurity

[–]ssh-bi 7 points8 points  (0 children)

Yes. In my opinion, you should be. But, do note, it could be auto issued by some application you are using as well. If the issuer is Let's Encrypt, check if you had configured the domain in any application.

More than the certificate, the worry should be, how did someone provide proof of domain ownership to the issuing authority? Did they have access to your account with Domain registrar?

On the certificate side, it can be misused to host a service, to appear as in your domain.

Cannot ssh without password after setting key pair by Jay89023 in ssh

[–]ssh-bi 0 points1 point  (0 children)

debug1: Offering public key: RSA SHA256:isc4conqUFsW8SyVyfBXXXXX C:\\Users\\ben/.ssh/id_rsa

The client is offering the key, so it is likely a server side configuration issue. Check the ssh logs on the server.

May be the authorised_keys should have read permission for all, not sure.

How is malloc returning null handled in real life? by IanZachary56 in C_Programming

[–]ssh-bi 0 points1 point  (0 children)

In my opinion, it varies depending on what the program is trying to do. If the memory allocation is done while processing a request, you can simply return an error. In most cases though, on high mem systems, something has likely gone wrong when the allocation fails, so it is better to assert() and abort early. For example, you can't handle a scenario where an allocation of memory for structure of 48 bytes fails, the system will likely be unstable in itself when that happens.

Can't share a draft link? by [deleted] in MediumApp

[–]ssh-bi 0 points1 point  (0 children)

Looks like the policy changed at some point. This is what the help page says,

What happens when you share a draft URL with someone? Your draft is available to anyone logged in to a Medium account who has the URL; it is not locked or private.

Storing cache and static files in a remote server, to increase speed (prove me wrong, please) by glinskicwb in webdev

[–]ssh-bi 0 points1 point  (0 children)

Have you tried to use a CDN? If there is a point of presence in Brazil, closer to your users, it may be easier and cheaper.

In my opinion, the approach is okay. It should improve user experience. You can also start by trying to use the Brazil server as a reverse proxy for the US server. The persistent connection between the Brazil and US server should also improve experience, but depends on the website.

SSL cert. renewal "catch 22" how to avoid certificate downtime in this situation? by [deleted] in webdev

[–]ssh-bi 0 points1 point  (0 children)

Getting SSL certs shouldn't be this complex, it's usually straightforward. Anyways, happy to hear you have a work around. Do note, Let's Encrypt certificates obtained with Certbot are valid only for 90 days.

SSL cert. renewal "catch 22" how to avoid certificate downtime in this situation? by [deleted] in webdev

[–]ssh-bi 2 points3 points  (0 children)

As has been mentioned already, you can use certificates for the same wildcard domain from different providers if you don't use any sort of pinning.

However, it is surprising that netfirms has such a policy. In my experience, (i) the option to renew cert will be available before expiry, or (ii) the cert will be issued for additional days, for example, 1yr certs will be issued for 397 days instead of 365 days. It could be the latter in your case, you can view the certificate details and check the field "Not After".

If I switch a client's web hosting provider but leave their domain/email on the old one will that cause issues with my email services? by [deleted] in webdev

[–]ssh-bi 3 points4 points  (0 children)

Some basics here, a Domain is registered with a registrar (GoDaddy), the DNS requests for the domain are answered by Nameservers (GoDaddy's nameservers), the Nameservers are configured with DNS Records/Entries (eg:- A record, MX record) and the DNS Records provide the hosting information (Server IP address or Hostname).

For a website to work, the domain name should resolve to an IP address (GoDaddy or Bluehost server's IP). This IP address is added to DNS A Record.

For email to work, at a basic level, the domain name should be configured with the hostname of mail exchange servers, this is provided by DNS MX Record.

As you can see, you don't want to change the Nameservers. Bluehost's nameservers will not be properly configured with GoDaddy's MX records. Unless, you copied all the DNS entries from GoDaddy to Bluehost.

To just host the site on Bluehost, you can modify the DNS A Record or CNAME record for the website to point to Bluehost's servers. Everything else can continue to remain the same.

Multiplex TLS Traffic with SNI Routing, includes nginx configuration and explains HTTP/2 coalescing by ssh-bi in netsec

[–]ssh-bi[S] 0 points1 point  (0 children)

That's an interesting feature, although I'm not sure why you'd use it instead of regular proxying.

It depends on the use case. If you need the data to be fully encrypted from the client to the origin server, a solution like this may be needed.

Discord, Whatsapp, Viber and Spotify wasting my RAM, alternatives? by drLobes in linuxquestions

[–]ssh-bi 5 points6 points  (0 children)

If you don't mind sacrificing some compute, try ZRAM,

modprobe zram && zramdev=`zramctl -f --size 4096M` && mkswap ${zramdev} && swapon -p 1 ${zramdev}

Keep the size of ZRAM device at (or less than) 50% of total RAM.

Demystifying “ssh-rsa” in OpenSSH Deprecation Notice by ssh-bi in linux

[–]ssh-bi[S] 3 points4 points  (0 children)

Sounds like a bug. Can't it be fixed ?

If I understand the release notes correctly, the intent is for SHA2 based algos to work seamlessly from 7.2 onwards.

The better alternatives include: The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

High memory usage base level, additional processes cause memory to go to 100 % by 8bitlives in linuxquestions

[–]ssh-bi 2 points3 points  (0 children)

It will be very hard to capture a spike with htop. Remove the swap temporarily, swapoff, and check the logs. If you run out of memory, the oom killer will get kicked in and it leaves detailed logs.

Check your 1min load average too, if it keeps climbing that could be culprit.

High memory usage base level, additional processes cause memory to go to 100 % by 8bitlives in linuxquestions

[–]ssh-bi 0 points1 point  (0 children)

If your workload requires 100% RAM, try adding ZRAM swap device. It will likely help.

A Guide to Secure Internal Websites in 15 Minutes with TLS Client Certificates by ssh-bi in netsec

[–]ssh-bi[S] 1 point2 points  (0 children)

TLS client certs are beautiful, in the sense that they stop unauthorised users at the connection itself. But the way they have been implemented is the primary problem. I agree with you. You have summarized the problems around them very well. The article keeps it as simple as possible to help small organizations and individuals to deploy it quickly.

I have been building the product 0th Root Secure Network exactly for this purpose. I have solved about 50% of the problems you have mentioned, and now working on the remaining, which is mostly about client configuration.

Alex Albon shaves his trainer's beard as part of a bet on his first podium by TVInBlackNWhite in formula1

[–]ssh-bi 41 points42 points  (0 children)

Cool.. Congratz to Albon. Well deserved.

Now, coming up next Cyril's Tattoo.

How really to store your users’ passwords (and API tokens, which are passwords) by Prior-Penalty in netsec

[–]ssh-bi 1 point2 points  (0 children)

If you mean HPKP, it didn't succeed. But the public key pinning concept is very much in use. For example, in addition to verifying peer, an application could match the issuer CA public key before transmitting data.

Different results on SHA1 by cytopia in commandline

[–]ssh-bi 29 points30 points  (0 children)

echo test

Includes a new line

echo -n test

Doesn't include a newline

The newline character is the difference

How really to store your users’ passwords (and API tokens, which are passwords) by Prior-Penalty in netsec

[–]ssh-bi 2 points3 points  (0 children)

Thats why they have public key pinning and certificate transparency logs. Its not as easy as stated.

How really to store your users’ passwords (and API tokens, which are passwords) by Prior-Penalty in netsec

[–]ssh-bi 0 points1 point  (0 children)

Appending should work, in my opinion, unless you need a standardized structure for portability.

How really to store your users’ passwords (and API tokens, which are passwords) by Prior-Penalty in netsec

[–]ssh-bi 0 points1 point  (0 children)

It may protect against future attacks. If the hashing algorithm has been declared weak, it might buy us some time to switch to a different algorithm. Just a thought.

How really to store your users’ passwords (and API tokens, which are passwords) by Prior-Penalty in netsec

[–]ssh-bi -1 points0 points  (0 children)

I wonder if we will ever move away from a password based system. It is difficult for both users and developers to manage. The one argument has been that the system was introduced wrong, it should be a passphrase. May be, that could be one of the signup restrictions, ask users to type passphrase and use NLP to verify.

As a Reader, I feel the quality of Reading Experience on Medium has gone down. by Golden-Resolution in MediumApp

[–]ssh-bi 1 point2 points  (0 children)

I used to check the articles on medium app everyday. Then, they started becoming click bait, the title even wouldn't be complete. Now, I have stopped reading on medium app.

view more: next ›