Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
urbanists.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a server for people who like bikes, transit, and walkable cities. Let's get to know each other!

Administered by:

Server stats:

578
active users

urbanists.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#bgp

2 posts2 participants1 post today
Replied in thread
Public *
Erik van Straten

@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.

Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.

1️⃣ DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (infosec.exchange/@ErikvanStrat).

2️⃣ SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,

test.example.com

may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".

See github.com/w3ctag/design-revie for how Google prevents "sites.google.com" from authenticating to "google.com".

3️⃣ DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.

4️⃣ All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).

5️⃣ Cloudflare MitM's https connections (it's not a secret: blog.cloudflare.com/password-r). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.

6️⃣ In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.

Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?

@odr_k4tana

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#1FA#2FA#MFA
Public
Stéphane Bortzmeyer

Association entre adresse IP et AS

Dans les discussions au sujet du réseau Internet, on voit souvent passer des demandes sur l'AS associé à une adresse IP ou bien le contraire. Mais les questions simples du genre « de quel AS dépend une adresse IP ? » sont… trop simples.

bortzmeyer.org/association-as-

www.bortzmeyer.orgBlog Stéphane Bortzmeyer: Association entre adresse IP et AS
#BGP#whois#RDAP
Public
Stéphane Bortzmeyer

#routage #factChecking #FRnog #BGP
Très bonne analyse du discours d'un PDG qui prétendait qu'un tiers du trafic Internet mondial passe par ses tuyaux. Spoiler : c'est plus compliqué que ça.

anuragbhatia.com/post/2025/02/

Les chefs et les journalistes veulent toujours des stats simples genre « qui a la plus grosse ». Mais la réalité ne se laisse pas faire.

Personal blog of Anurag Bhatia · Analysing transit free networksThis post covers analysis of single homed Vs multihomed routes behind each known transit free tier 1 network
Public
Anurag Bhatia

Ever wonder how much routes are there in downstream cone of each known transit free tier 1 network? How much of those routes are single homed Vs multi homed?

Checkout my latest #blog post analysing transit free networks - anuragbhatia.com/post/2025/02/

Personal blog of Anurag Bhatia · Analysing transit free networksThis post covers analysis of single homed Vs multihomed routes behind each known transit free tier 1 network
#BGP
Public
Stéphane Bortzmeyer

Un RFC (pas encore paru mais presque) qui aura pris du temps (7 ans !), routage SPF avec #BGP. datatracker.ietf.org/doc/draft

IETF DatatrackerBGP Link-State Shortest Path First (SPF) RoutingMany Massively Scaled Data Centers (MSDCs) have converged on simplified L3 (Layer 3) routing. Furthermore, requirements for operational simplicity has led many of these MSDCs to converge on BGP as their single routing protocol for both their fabric routing and their Data Center Interconnect (DCI) routing. This document describes extensions to BGP to use BGP Link-State distribution and the Shortest Path First (SPF) algorithm. In doing this, it allows BGP to be efficiently used as both the underlay protocol and the overlay protocol in MSDCs.
Public
gyptazy

Hey #homelab users!

You probably already know me by my free @BoxyBSD project and I often got asked about IPv4 addresses. Currebtly, I tinker with a new but also honestly not free service. The idea is creating a static IP service for homelab users. I'm aware that there're already some around, so what could be some benefits here?

- Static single #IPv4 & #IPv6 /48 (so you can subnet your homelab to several /64 without breaking #slacc)
- Bigger subnets (IPv4: /29, /28, /27 | IPv6: /32)
- Full RIPE personalization (inc. abuse & Co)
- #OpenVPN, #Wireguard, #GRE Support
- Auto configure (e.g., you load the wireguard config on any client and the addresses Arena immediately bound to that interface)
- Split usage / multiple tunnels: Use different IPs from your subnets at different locations
- Integration into #BoxyBSD
- Location in Germany or Netherlands (selectable)
- Hosted on redundant #FreeBSD nodes

Pricing:
- The starter package probably around 10€/month (not more) + 15€ setup including 2T traffic
- Pricing for addiriinal/larger subnets not yet sure, probably higher setup fees to avoid hoppers and spamers to keep the addresses clean
- Optional traffic packages (when exceeding speed Limit of 10Mbit which should still be ok for most homelabs)

World this be interesting? Im aware that many ones already do this by VPS themselves, so this might just be a bit easier and optionally offering whole networks including RIPE personalizations.

#hosting#Server#kubernetes
Public
BoxyBSD

#FOSDEM 2025 special!

Did you met @gyptazy at the conference? Double your resources or get a second VPS in the same or different location for enhancing the learning, evaluation and testing possibilities!

* Learn and create HA setups
* Test #BGP multi-site setups
* Test pf firewall setups
* Test #Wireguard setups
* Test #ZFS send/receive functions
* And many more things

How? Just message @gyptazy in Matrix by your already present and defined Matrix account.

Public *
gyptazy

What means or is #selfhosting for you?

I think most ones will identify this with simply running something on their own system, that is under their own control. But is this enough? For data sovereignty probably…

- Is that really enough?
- What about everything else? What about the infrastructure?
- Should you run your own ntp, dns etc?
- What about your provider? Simply getting an IP assigned from your provider or become yourself an ISP?

Where does it start and where does it end?

#fediverse#homelab#hosting
ExploreLive feeds
About