More supply chain thoughts.
Let's Encrypt is based in the United States.
Recent searches
Search options
Administered by:
#ssl
0 posts0 participants0 posts today
New releases
• Kitten (rolling release)
• @small-tech/https version 5.3.2
• Auto Encrypt version 4.1.3
OCSP support has been reinstated in the server so existing sites with Let’s Encrypt certificates provisioned prior to the removal of the OCSP stapling requirement will not fail to load in Firefox.
Kitten servers in production will automatically update to this version in a few hours. You can also sign in to the Kitten settings page on your server and do a manual update to update Kitten immediately.
Thanks to @stefan and @s1r83r for bringing this to my attention. (https://mastodon.ar.al/@aral/113969540950647873)
Aral’s fediverse serverAral Balkan (@aral@mastodon.ar.al)@s1r83r@pataterie.ca @stefan@gardenstate.social Thanks for the heads up, folks.
So, here’s what’s happened:
1. Let’s Encrypt removed OCSP support and starting rejecting certificate requests that require OCSP stapling (a privacy feature that Kitten inherited from my Auto Encrypt module) for new server requests and will reject certificate renewal requests starting in May.
2. So I went ahead and removed the OCSP stapling requirement from the certificate requests Auto Encrypt makes to Let’s Encrypt.
3. I also removed OCSP support from the server.
Makes sense, right?
Sure does, until you consider what happens to servers with already-provisioned Let’s Encrypt certificates that have certificates that require OCSP stapling. (kitten.small-web.org’s certificate got renewed four days ago, before I’d released the updates.)
*Doh!* 🤦♂️
Seems Safari and Chrom(ium) are fine with letting it pass. However, Firefox, (and correctly too, I might add), refuses to load the site.
So I’m off to update Auto Encrypt to re-enable OCSP support with a note to disable it in May (by which time all certificates will have renewed anyway without the stapling requirement) and then issue new builds of @small-web/https and Kitten.
Kitten servers should automatically upgrade and start working in Firefox in several hours. And you can also manually update them if you want to before then after I’ve announced the releases.
Thanks again for letting me know.
:kitten:💕
#Kitten #SmallWeb #AutoEncrypt #LetsEncrypt #TLS #SSL #HTTPS #OCSP
Continued thread
@small-tech/https version 5.3.0 released
• Uses Auto Encrypt 4.1.1 (removes OCSP stapling support because Let]s Encrypt has removed OCSP support).
https://www.npmjs.com/package/@small-tech/https
This module is a drop in replacement for Node HTTPS module that automatically handles TLS certificate provisioning and renewal both at localhost (via Auto Encrypt Localhost¹) and at hostname (via Auto Encrypt with Let’s Encrypt certificates²).
So, this is how you create a HTTPS server in Node.js that uses this module and automatically handles TLS certificate provisioning and renewal for you both at localhost (during development) and at hostname (during production):
```js
import https from '@small-tech/https'
const server = https.createServer((request, response) => {
response.end('Hello, world!')
})
server.listen(443, () => {
console.log(' 
Server running at https://localhost.')
})
```
(Yes, that’s it! I wrote a metric shit-tonne of meticulously-tested code so you don’t have to.) :)
Note that the localhost certificate support via Auto Encrypt Localhost is 100% JavaScript and does NOT rely on an external binary like mkcert or certutil.
Needless to say, Kitten³ uses this module under the hood and it’s a big part of why Domain⁴ can deploy servers so easily that don’t require any day-to-day maintenance.
In case you’re wondering why I’m spending so much time releasing all these modules, it’s because I believe in sharing every brick of the house I’m building so others can easily build different houses if they want to. I’m not saying that what I’m building with Kitten, Domain, and Place⁵ will be the end all be all of the Small Web⁶ (the peer-to-peer web). And I want others to be able to experiment by building their own tools without having to go through the grueling development process I’ve had to in the past six years to build basic infrastructure.
Enjoy!
¹ https://codeberg.org/small-tech/auto-encrypt-localhost
² https://codeberg.org/small-tech/auto-encrypt
³ https://kitten.small-web.org
⁴ https://codeberg.org/domain/app
⁵ https://codeberg.org/place/app
⁶ https://ar.al/2024/06/24/small-web-computer-science-colloquium-at-university-of-groningen/
npm@small-tech/httpsA drop-in standard Node.js HTTPS module replacement with both automatic development-time (localhost) certificates via Auto Encrypt Localhost and automatic production certificates via Auto Encrypt.. Latest version: 5.3.0, last published: 16 minutes ago. Start using @small-tech/https in your project by running `npm i @small-tech/https`. There are 2 other projects in the npm registry using @small-tech/https.
Continued thread
Auto Encrypt version 4.1.1 released
Fixed:
• User agent string now includes the correct Auto Encrypt version (and the name fragment “auto-encrypt” instead of “acme”).
• Tests now send `Connection: close` header so they’re not tripped up by the default `keep-alive` introduced in Node 19.
npm@small-tech/auto-encryptAutomatically provisions and renews Let’s Encrypt TLS certificates on Node.js https servers (including Kitten, Polka, Express.js, etc.). Latest version: 4.1.1, last published: 3 minutes ago. Start using @small-tech/auto-encrypt in your project by running `npm i @small-tech/auto-encrypt`. There are 3 other projects in the npm registry using @small-tech/auto-encrypt.
Auto Encrypt version 4.1.0 released
• Removes OCSP stapling, as Let’s Encrypt is removing OCSP support.
If you’re already using Auto Encrypt upgrade before May or your certificate renewals will start to fail. Upgrade now if you want to get certificates for new domains as new certificate requests are already failing.
https://codeberg.org/small-tech/auto-encrypt#readme
Auto Encrypt automatically provisions and renews Let’s Encrypt TLS certificates on Node.js https servers (including Kitten¹, Polka, Express.js, etc.)
Regular Node.js HTTPS server (without Let’s Encrypt certificates):
```js
import https from 'node:https'
const server = https.createServer(…)
```
Auto Encrypt https server with automatic Let’s Encrypt certificates:
```js
import AutoEncrypt from '@small-tech/auto-encrypt'
const server = AutoEncrypt.https.createServer(…)
```
(Certificates are provisioned on first hit and automatically renewed 30 days before expiry.)
Codeberg.orgauto-encryptAutomatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.
Let's Encrypt will discontinue sending expiration notification emails, and they can recommend
Red Sift Certificates Lite
Lite is the free tier of Red Sift Certificates, providing expiration monitoring for up to 250 certificates and 7-day email alerts to prevent downtime.
redsift.comNever miss an expiring certificate with Red Sift Certificates LiteLite is the free tier of Red Sift Certificates, providing expiration monitoring for up to 250 certificates and 7-day email alerts to prevent downtime.
Just released Node Pebble version 5.1.1
• Updated to Pebble version 2.7.0.
• Now also supports macOS and arm64 (because Pebble itself does).
https://codeberg.org/small-tech/node-pebble
Node Pebble is a Node.js wrapper for Let’s Encrypt’s¹ Pebble² that:
• Downloads the correct Pebble binary for your platform.
• Launches and manages a single Pebble process.
• Returns a reference to the same process on future calls (safe to include in multiple unit tests where order of tests is undetermined)
• Automatically patches Node.js’s TLS module to accept Pebble server’s test certificate as well as its dynamically-generated root and intermediary CA certificates.
² “A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.” https://github.com/letsencrypt/pebble
Codeberg.orgnode-pebbleA Node.js wrapper for Let’s Encrypt’s Pebble (a small RFC 8555 ACME test server not suited for a production certificate authority)
So I guess Let’s Encrypt has decided what I’ll be working on today then…
https://letsencrypt.org/2024/12/05/ending-ocsp/
(They’re ending OCSP stapling support. I’ll be updating Auto Encrypt¹ to remove OCSP support and then update @small-tech/https, which uses it, along with Auto Encrypt Localhost² to provide seamless TLS support regardless of whether you’re working in development or in production, and then update Site.js³ – deprecated but still used to serve some of our own sites at Small Technology Foundation⁴ – and Kitten⁵, with the latest @small-tech/https.)
¹ https://codeberg.org/small-tech/auto-encrypt
² https://codeberg.org/small-tech/auto-encrypt-localhost
³ https://codeberg.org/small-tech/https
⁴ https://small-tech.org
⁵ https://kitten.small-web.org
letsencrypt.orgEnding OCSP Support in 2025Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services:
January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension May 7, 2025 Prior to this date we will have added CRL URLs to certificates On this date we will drop OCSP URLs from certificates On this date all requests including the OCSP Must Staple extension will fail August 6, 2025 On this date we will turn off our OCSP responders Additionally, a very small percentage of our subscribers request certificates with the OCSP Must Staple Extension.
Replied to Kevin Karhan 
@Kevin Karhan :verified:
It's the same with an email server. System administrators have more power than people think. I guess that's why their password is "god."
OFC that is a constant struggle.
Needless to say all #Fediverse Software like #Mastodon actually tells people: 'Hey, #DMs are not private nor encrypted beyond #SSL - #Admins can read them if they actually want to!'
It's the same with an email server. System administrators have more power than people think. I guess that's why their password is "god."
hubzilla.monsterHubzilla Monster
Replied in thread
Natürlich kannste der #Desinformation von #Diensteanbietern glauben, aber dann ist #WhatsApp auch #E2EE weil die #SSL nutzen (und mit der Logik auch #WeChat & #QQ - lol)!
- Ernsthaft, es gibt nen Grund warum #XMPP+#OMEMO & #PGP/MIME bis heute sich halten und proprietäre shice alla #MSN & #ICQ tot ist.
Gerade weil wirkliche #InfoSec & #OpSec sowie #ComSec & #ITsec nur mit #Transparenz geht.
- Ich vertrau' prinzipiell keinem Code oder Anbieter...
Replied in thread
@jupiter_rowland OFC this is also due to the fact that the last 50+ years no serious attempt at teaching #TechLiteracy has been done anywhere in a formal matter.
- Like teaching #kids how #computing works and not how to be a #Zombie-like #User for #GAFAM - Products!
Luckily #Education and #Knowledge isn't monopolized and Initiatives like @cryptoparty / #CryptoParty exist that basically get #TechIlliterates to a level that if they follow up what has been trained don't act as "#UnofficialEmployees" of #NSAbook et. al.
- I just wish this wasn't the #exception but norm!
Either way, we'll all have to take part in making the world better, even if that meremy means not contribute to #Enshittification...
OFC that is a constant struggle.
- Needless to say all #Fediverse Software like #Mastodon actually tells people: 'Hey, #DMs are not private nor encrypted beyond #SSL - #Admins can read them if they actually want to!'
Replied in thread
@puppygirlhornypost2 @navi yeah, but that's a common problem based off #TechIlliteracy and lack of proper explaination!
- Given the #CryptoAPI of #Windows is #backdoored for #Govware [#NSAKEY_ & #SSL-Updates I'd consider #BitLocker insecure and the least of it's problems!
Bonus points if #TPM bs prevents #DataRecovery.
- My biggest problem with #FDE/ #FullDiskEncryption is that is mandates direct access to a system to authenticate, thus one needs to manually mount stuff on servers post-boot instead.
GitHubGitHub - kkarhan/windows-ca-backdoor-fix: Fixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefaehrden-SSL-Verschluesselung-2317589.htmlFixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefae...
Replied in thread
@tokyo_0 #TrueCrypt is #abandonware with serious security issues.
- DO NOT USE TRUECRYPT FFS!!!
Use #VeraCrypt or even better: migrate machines to #Linux and use #LUKS / #dmcrypt instead, as it's the best option at hand.
- If you need to shuttle data to #Windows and #macOS machines and using #SFTP / #SSHFS to mount a secure storage over the network isn't an option, than you're stuck with VeraCrypt, as #Windows' #CryptoAPI is evidently #backdoored to the point that every #Browser except #Firefox is susceptible to #SSL hijacking with background updates...
GitHubGitHub - kkarhan/windows-ca-backdoor-fix: Fixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefaehrden-SSL-Verschluesselung-2317589.htmlFixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefae...
... Well done BoM .. as a Federal Australian Govt. funded service, it's only taken you 15 years to achieve what is the standard for 99% of legitimate internet facing webpages, (even then, just a "Beta" web site) that are capable of delivering weather information to Australians, that use .. *gasp!* ... transport layer security ...
* Slow Clap * and a belated welcome to the rest of the internet...
My private suspicion is that that cyber.gov.au finally beat them over the head with the "Essential 8" stick ... as opposed to just showing them it exists.
Replied in thread
Granted, with #SSL being mainstreamed on the "#SurfaceWeb" that issue is somewhat mitigated or at least made costly.
- OFC a #OnionService will always be better...
Given the fact @torproject publishes their Exit Nodes this is also harder to pull off unnoticed.
GitHublists.d/blocklists.list.tsv at 7f976e772b08c81717a32ea18e2608f40b788828 · greyhat-academy/lists.dList of useful things. Contribute to greyhat-academy/lists.d development by creating an account on GitHub.
Replied in thread
@noctilua @torproject and no I didn't fiddle with my #SSL certs or shit...
Cuz I use #Oshi all the time:
https://github.com/kkarhan/misc-scripts/blob/2999339de4df13457f3a43cbb13beba9e55268ba/bash/.bash_aliases#L79
GitHubmisc-scripts/bash/.bash_aliases at 2999339de4df13457f3a43cbb13beba9e55268ba · kkarhan/misc-scriptsrandom scripts for various admin tasks. Contribute to kkarhan/misc-scripts development by creating an account on GitHub.