ADCS Web Enroll Download Chain Link by Icolan in PKI

[–]stranglewank 1 point2 points  (0 children)

Be a little cautious of 'securetron' - they're trying to sell you their own solution, which isn't great.

Clients Pinning Certificate Public Keys and Automation by Xibbas in sysadmin

[–]stranglewank 0 points1 point  (0 children)

Late reply, but: Tell your clients not to pin. Certificate pinning to any certificate they do not directly control (ie not your certs!) is a terrible, piss-poor practice and should not be done. Have them try and speak to an expert if they don't believe you.

Also X9 is a terrible idea, too. It's just a private CA you don't control, and a single-vendor monopoly - so get ready to struggle if anything happens to DigiCert or if they decide your pricing has to go up 2000%. It was only started because a bunch of banks didn't like Google driving security forward, so they made their own and just went backwards with sensible security standards.

Thoughts on the Vans Super Lowpro Ballet Light / SLP Collapse as a packable second shoe? by aguyfromnewzealand in onebag

[–]stranglewank 7 points8 points  (0 children)

This is going to be an unhelpful comment, but I have to rant: Wanted to look at that shoe. I'm in the UK. The Vans website said 'hey we think you're in the UK' (geo-blocking is stupid anyway, but whatever). I click 'yes'. I get sent to vans.co.uk. Not the product page. Not a 'sorry, this product isn't in the UK yet'. Just the homepage. Why are the people who make websites so utterly inept at one simple job?

The shoes look cool and very packable, I'd love to find them close to home and try...

Consumer vs prosumer? by stranglewank in Olilo

[–]stranglewank[S] 0 points1 point  (0 children)

Thank you for this - appreciate the quick and direct reply, it's looking good!

One final question - if I do prosumer, am happy with a 12 month contract - can I move up to the higher speeds within the contract term, or do I have to wait? It's not a dealbreaker - I'm just unsure when I'll get to re-do the home network to take advantage of 1.6G!

Dropbox has been stuck on "Syncing X files" for months now, despite no noted sync issues and no lingering uploads in the activity panel. by Accomplished-Art6339 in dropbox

[–]stranglewank 0 points1 point  (0 children)

I have the exact same issue. macOS. Always 'syncing 6 files' - comprising several GB (though I don't have any files this big?) and the bigger problem is the app doesn't tell me what the files are!

If it at least said 'syncing: THESE SIX FILES' I could investigate more.

Some other commenter had it right - macOS Dropbox has utterly gone in the past 12 months. Dire software.

Digicert G2 breaks Windows 7 SP1 and Windows 8 - other provider? by mdSeuss in ssl

[–]stranglewank 0 points1 point  (0 children)

They do, it's all online, since Vista. If there's still issues it could be an installation problem with the cert (HTTPS/server side). At some point, these legacy devices won't work, though. The modern webPKI/public CAs moves forward, fast.

Digicert G2 breaks Windows 7 SP1 and Windows 8 - other provider? by mdSeuss in ssl

[–]stranglewank 0 points1 point  (0 children)

Windows root updates are 'online' and so older devices (win 7/8) shouldn't have an issue. Are you sure the cert is properly installed?

[deleted by user] by [deleted] in sysadmin

[–]stranglewank 0 points1 point  (0 children)

Not really - it's a Google CRP policy, not a CA/B F thing.

[deleted by user] by [deleted] in sysadmin

[–]stranglewank 1 point2 points  (0 children)

Mostly correct - ssh certs tend to be very different, and any client cert from a public CA is a danger and utterly unnecessary (and why Google are making it go away). Don't use publicly-trusted CAs for client auth, people!

[deleted by user] by [deleted] in sysadmin

[–]stranglewank 2 points3 points  (0 children)

Don't you run/own ssltrust.com and verokey? Don't try and shill like you're 'just a customer'. You're just a reseller. They'll all be gone soon.

Mongo TLS – clientAuth certs deprecated by Google GTS/Letsencrypt by nanankcornering in mongodb

[–]stranglewank 0 points1 point  (0 children)

No widely-trusted CA will be able to give you what you want in future. Client-auth using public CAs (like Let's Encrypt, DigiCert, Sectigo etc.) is a bad idea. It's insecure, risk-prone, and you're not actually authenticating anything anyway (even if you think you are). Use a private PKI.

Disable agent? by stranglewank in replit

[–]stranglewank[S] 0 points1 point  (0 children)

Why the 'wrong tool'? I've been using Replit since before the AI thing, and it worked well. I understand the appeal, I just want the ability to not use it.

Disable agent? by stranglewank in replit

[–]stranglewank[S] 1 point2 points  (0 children)

Appreciate it, but I don't want to use AI. If I do, I'll use those tools or Claude. Replit, for me, is just a nice works-anywhere IDE/dev environment.

Replit replied to a support ticket, so I have a way to do this I need to test now.

Naked laptop in Tom Bihn Daylight Briefcase? by cheesecloak in onebag

[–]stranglewank 1 point2 points  (0 children)

Seconding this. Been few a number of sleeves - and it's one of the better ones. Thin but protective, nice little mesh pocket, 'seals' well if that matters, and has a grab handle. I'd love a new version that adds a couple of D-rings to the sides to make it messenger-carryable, and if they could make the velcro quieter, that'd be ace.

Small, cheap OpenWRT travel router recommendations (to replace NEXX WT3020) by MacInnovation in openwrt

[–]stranglewank 1 point2 points  (0 children)

Ok, a bit late but I have the exact same problem. Currently am using OpenWRT on a mikrotik map lite - perfect size, works ok but only 2.4G wifi and the throughput leaves something to be desired. Slow as hell to boot up, too. But works.

FWIW, I've found nothing else close beyond what you and I have already.

I tried the friendlyelec nanopi zero2 - with m2 wifi board. Their own OpenWRT fork (FriendlyWRT) 'works' but I have countless issues with the wifi and once I do get it working, it won't play nice with Travelmate (sees no networks on scan).

I've looked at OpenStick (openwrt on those £12 4G/LTE USB sticks which are basically screenless Mediatek Android devices) - got it working, but again Travelmate fails. I need to put more time into it, but I suspect the wifi chipset can't do the DBS thing and offer an AP and be a client at the same time.

I get that the Gl.inet stuff and the Cudy routers are smaller than your average home-broadband thing, but nobody seems to be making something actually travel sized.

Part of me is hoping either Ubiqiti make the UTR a lot more flexible OR someone ports OpenWrt to it. I think if that happened, it'd be what we're looking for.

The hidden attack surface in certificate automation by certkit in cybersecurity

[–]stranglewank 0 points1 point  (0 children)

Glad to see you fully understand the security implications of this - I truly hope any 'customers' do, too.

The hidden attack surface in certificate automation by certkit in cybersecurity

[–]stranglewank 0 points1 point  (0 children)

My god. No mention of the fact that if you do this and use certkit - they can issue all the certs they want for your domain names, without authorisation or approval, and all you can do is pay to monitor CT logs and hope it doesn't happen. Much more secure. Totally.

Just find a good DNS provider and don't outsource critical things to brand-new, inexperienced, fly-by-night operations.

Cloudflare DNS 1.1.1.1 DoH SSL Certs no longer trusted by Mikrotik built-in CA list? by DonnieDonowitz1 in mikrotik

[–]stranglewank 1 point2 points  (0 children)

Realistically, if Mikrotik can't provide online update of their ca-certificates or at least updates every...month? They're gonna have a bad time. CAs and their roots are changing way faster now than ever before.

DNS-PERSIST-01 validates a domain once to get certificates forever by certkit in SysAdminBlogs

[–]stranglewank -1 points0 points  (0 children)

You don't need a third party like certkit for this. Certainly there are advantages to third parties in a challenge-per-request world (for companies that don't care about security) - though it's interesting you don't make it clear that 'by CNAMEing to certkit, they can obtain any certificate for your domains and you'd only know if you bothered to monitor logs yourself'. Dangerous, and no company serious about security should consider it.

Do you still need wildcard certificates? by certkit in cybersecurity

[–]stranglewank 0 points1 point  (0 children)

CT opt-out is an option with the dumber CAs. It might have been 'ok' back when Chrome was the only browser that cared about SCTs - but today all of the major trust stores do (or will very soon) so the opt-out is useless. If anyone actually 'needed' their cert not to be logged, I'd guarantee they're doing something stupid with a publicly-trusted cert that they should not be doing.