Security, Jabber, DNS, Visual Indend Script

1. Security discussion, uh oh. It was claimed it's very important to verify file hash when downloading files. Is it? What's the true benefit? I download from same source the file and the hash, and then I compare the file and hash. Sure, then we've checked the hash. But does it really provide any additional value in terms of security / trust? - I think it doesn't. Especially, if the file format itself contains even any basic integrity checking. - Often there are measures which are in place to look cool or secure. - But is it really secure? - No. These things get quite quickly demanding, if true security is required. Yet that's just how it should be done. - Usually isn't. - Sure using hashes and signatures can be useful and is, but it needs to be done correctly. - So many way too long and pointless discussions. Either it needs to be done correctly, or in reality it really doesn't matter at all.

2. jabber.ru MITM case - (@ notes.valdikss.org) - Interesting case, yet unfortunately I have to say this is nothing new at all. If you check my previous (countless) posts discussing how great idea it's to trust the CA's is, well it isn't. And therefore this doesn't surprise me at all. There was a good list of potential mitigations at the end. What current DV certs basically tell? Well, I've seen this domain with this cert earlier, and that's it. It doesn't mean anything else at all. Good point about E2EE is that if the key exchange is now done over the compromised channel, attacker could in theory also MITM the end-to-end encrypted chats. This is why key exchange should be done out of band, and or in band exchanged keys should be verified out of band. - Nothing new, nobody cares, and then this happens. - Quite expected I would say.

3. DNS CAA (@ Wikipedia) - Hardened several services by adding extra accounturi and validationmethod identifiers to the DNS. Earlier I had just specified the CAA which issues the certs, but this extra step improves security of cert issuing making potential abuse and MITM / AiTM even harder. ref: RFC 8659 (@ datatracker.ietf.org) - Example of extra information to the existing CAA / issuer records: "accounturi=https://example.net/account/2345; validationmethods=http-01" or DNS in some specific cases.

4. GitHub is now using Passkeys, nice! Of course with PGP and SSH there's already solutions like: HTTPS / TLS / DANE, which uses DNS for key identification / verification.

5. Hardened my domains DNS / TLS / CAA by adding RFC8657 accounturi and validationmethod fields. And specifying those per subdomain where necessary, further restricting certificate issuance. Also see: ACME-CAA (@ community.letsencrypt.org).

Rest of post about Visual Indended

One vision impaired friend was very frustrated with white space in files. I said, ok, I can ask Bing AI to generate a helper script for you:

Write a Bash and Python scripts which fill following requirements:
The filename is specified as command line parameter, like: visindend my-config.yaml
Check, if the filename exists with the same name plus .visinded extension and the file last modified timestamp is newer than the specified files. If it is, then do the process in reverse.
Read the file line by line and do following processing steps for each of the lines:
Replaces the number of spaces at the beginning of row with indicator '#>', without the single quotes, where # is number of spaces.
If the row starts with tabs use '<' instead of the '>' which was used for spaces.
Write the resulting data out, overwriting the older file or by creating a new file in case where the file doesn't already exist

Input like:

stuff:

  - indended

    - deeper

then becomes...

stuff:

2>- indended

4>- deeper

and so on. And if you edit the visinded extension file and just rerun the script, then it updates the original file with your changes.

This is especially useful for people whom are using some kind of accessibility feature which doesn't handle white space nicely. And especially with files which require usage of the white space in a very specific way like Python and YAML. Even if the task was simple to accomplish, and AI made it mostly automatically it's sad how many editors do not inherently have features like this, making it much clearer how much something is indended.

2024-08-25