[Tell HN: Automatic fraud detection is making my life hell | Hacker News](https://news.ycombinator.com/item?id=38038713) - the (UX) is garbage from all the extra authentication! [Non-repudiation - Wikipedia](https://en.wikipedia.org/wiki/Non-repudiation) - this is a major question: how do you know someone is who they say they are? - same issue with computers about other computers ## CA specify Certificate Authority on Authentication page (refs from Web Dev) ## cyberpunk culture THE CYBERPUNK CULTURE HAS ARISEN AS A PHENOMENOLOGY AROUND THE NEED FOR HIGH-QUALITY ENCRYPTION AND AUTHENTICATION - MUCH OF IT IS ANGLED AS A VIGILANTE-ESQUE FIGHT AGAINST TYRANNY: DAVID VS GOLIATH ## 2FA errors [Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out | Hacker News](https://news.ycombinator.com/item?id=41275846) [Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out | CSO Online](https://www.csoonline.com/article/3480918/design-flaw-has-microsoft-authenticator-overwriting-mfa-accounts-locking-users-out.html) ## 2FA [When MFA isn't MFA, or how we got phished | Hacker News](https://news.ycombinator.com/item?id=37500895) [When MFA isn't actually MFA](https://retool.com/blog/mfa-isnt-mfa) [The Booming Underground Market for Bots That Steal Your 2FA Codes](https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo) [Steam's login method is kinda interesting | Hacker News](https://news.ycombinator.com/item?id=25730145) [Steam's login method is kinda interesting // owlspace](https://web.archive.org/web/20210107153907/https://owlspace.xyz/cybersec/steam-login/) [Reddit Hack Shows Limits of MFA, Strengths of Security Training : cybersecurity](https://old.reddit.com/r/cybersecurity/comments/10zrxtw/reddit_hack_shows_limits_of_mfa_strengths_of/) [Apple passwords deserve an app | Hacker News](https://news.ycombinator.com/item?id=35329950) [Apple Passwords Deserve An App - cabel.com](https://cabel.com/2023/03/27/apple-passwords-deserve-an-app/) [Google Authenticator now supports Google Account synchronization | Hacker News](https://news.ycombinator.com/item?id=35690398) [Google Online Security Blog: Google Authenticator now supports Google Account synchronization](https://security.googleblog.com/2023/04/google-authenticator-now-supports.html) [Gmail, Yahoo announce new 2024 authentication requirements for bulk senders | Hacker News](https://news.ycombinator.com/item?id=38074992) [Gmail introduces new requirements to fight spam](https://blog.google/products/gmail/gmail-security-authentication-spam-protection/) [macOS has checked app signatures online for over 2 years | Hacker News](https://news.ycombinator.com/item?id=25208404) [macOS has checked app signatures online for over 2 years - The Eclectic Light Company](https://eclecticlight.co/2020/11/25/macos-has-checked-app-signatures-online-for-over-2-years/) [Russell Brandom](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin) (2017) This is why you shouldn’t use texts for 2FA / two-factor authentication [Tell HN: It is impossible to disable Google 2FA using backup codes | Hacker News](https://news.ycombinator.com/item?id=34441697) ## 2FA - SMS [SMS is not 2FA-secure | Hacker News](https://news.ycombinator.com/item?id=22016212) [Is SMS 2FA Secure?](https://www.issms2fasecure.com/) [Tell HN: SMS-based two-factor authentication is not secure | Hacker News](https://news.ycombinator.com/item?id=27447206) [Second factor SMS: Worse than its reputation | Hacker News](https://news.ycombinator.com/item?id=40934495) [CCC | Second Factor SMS: Worse Than Its Reputation](https://www.ccc.de/en/updates/2024/2fa-sms) ## 2FA - yubikey [Pressing YubiKeys | Hacker News](https://news.ycombinator.com/item?id=24663989) [Pressing YubiKeys | bertrand fan](https://bert.org/2020/10/01/pressing-yubikeys/) [Edouard Kachelmann and Anthony Pasquariello](https://aws.amazon.com/blogs/security/enhance-programmatic-access-for-iam-users-using-yubikey-for-multi-factor-authentication/) (2020) Enhance programmatic access for IAM users using a YubiKey for multi-factor authentication ## apple passkey [Apple Passkey | Hacker News](https://news.ycombinator.com/item?id=31643917) [Supporting passkeys | Apple Developer Documentation](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys) ## audio fingerprinting [Bypassing Safari 17's advanced audio fingerprinting protection | Hacker News](https://news.ycombinator.com/item?id=39653431) [How We Bypassed Safari 17's Advanced Audio Fingerprinting Protection](https://fingerprint.com/blog/bypassing-safari-17-audio-fingerprinting-protection/) ## auth can be misused [ID verification service for TikTok, Uber, X exposed driver licenses | Hacker News](https://news.ycombinator.com/item?id=40805949) [ID Verification Service for TikTok, Uber, X Exposed Driver Licenses](https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/) ## auth [Instead of “auth”, we should say “permissions” and “login” | Hacker News](https://news.ycombinator.com/item?id=40491480) [Instead of "auth", we should say "permissions" and "login" | nicole@web](https://ntietz.com/blog/lets-say-instead-of-auth/) ## authorization [Authorization in a Microservices World | Hacker News](https://news.ycombinator.com/item?id=30878926) [Authorization in a microservices world | Alexander's Blog](https://www.alexanderlolis.com/authorization-in-a-microservices-world) [Winding down Google Sync and Less Secure Apps support | Hacker News](https://news.ycombinator.com/item?id=39052196) [Google Workspace Updates: Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported](https://workspaceupdates.googleblog.com/2023/09/winding-down-google-sync-and-less-secure-apps-support.html) [Apple TV prompt requires another Apple device | Hacker News](https://news.ycombinator.com/item?id=34405846) [chris @hugelgupf@hachyderm.io on X: "I own an Apple TV. I own not a single other Apple device. Not one. Every time I start the Apple TV I get this prompt now. @Apple what do you expect me to do about this? https://t.co/CsNaTNNIHp" / X](https://twitter.com/hugelgupf/status/1614794516309118977) ## biometrics [The state of external retina displays | Hacker News](https://news.ycombinator.com/item?id=29707104) [The State of External Retina Displays, [Almost] 2022 Edition - Liss is More](https://www.caseyliss.com/2021/12/7/monitor-liss) [Sequencing your DNA with a USB dongle and open source code | Hacker News](https://news.ycombinator.com/item?id=29695013) [Sequencing your DNA with a USB dongle and open source code - Stack Overflow](https://stackoverflow.blog/2021/12/24/sequencing-your-dna-with-a-usb-dongle-and-open-source-code/) [DNA seen through the eyes of a coder (or, If you are a hammer, everything looks like a nail) - Bert Hubert's writings](https://berthub.eu/articles/posts/amazing-dna) [Fingerprints can be hacked | Hacker News](https://news.ycombinator.com/item?id=29306163) [Your Fingerprint Can Be Hacked For $5. Here's How. - Kraken Blog Kraken Blog](https://blog.kraken.com/product/security/your-fingerprint-can-be-hacked-for-5-heres-how) [Face ID and Touch ID for the Web | Hacker News](https://news.ycombinator.com/item?id=23631518) [Meet Face ID and Touch ID for the web - WWDC20 - Videos - Apple Developer](https://developer.apple.com/videos/play/wwdc2020/10670/) [ID2020 | Technical Certification Mark](https://id2020.org/technical-certification-mark) [Infrared Radiation From Hands Could Encrypt Data | IE](https://interestingengineering.com/innovation/infrared-radiation-from-our-hands-could-be-the-future-of-encryption) [Does DNA have the equivalent of IF-statements, WHILE loops, or function calls? | Hacker News](https://news.ycombinator.com/item?id=38937801) [bioinformatics - Does DNA have the equivalent of IF-statements, WHILE loops, or function calls? How about GOTO? - Biology Stack Exchange](https://biology.stackexchange.com/questions/30116/does-dna-have-the-equivalent-of-if-statements-while-loops-or-function-calls-h) [Amazon One](https://one.amazon.com/) ## CA [Trouble with Verify error:DNS problem: SERVFAIL looking up CAA - Help - Let's Encrypt Community Support](https://community.letsencrypt.org/t/trouble-with-verify-error-dns-problem-servfail-looking-up-caa/169644) [Mozilla, Microsoft yank TrustCor's root certificate authority | Hacker News](https://news.ycombinator.com/item?id=33810755) [Mozilla, Microsoft yank TrustCor's root certificate authority after U.S. contractor revelations - The Washington Post](https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/) [Standing on our own two feet | Hacker News](https://news.ycombinator.com/item?id=25008748) [Standing on Our Own Two Feet [Updated] - Let's Encrypt](https://letsencrypt.org/2020/11/06/own-two-feet.html) [Single random bit flip causes error in certificate transparency log | Hacker News](https://news.ycombinator.com/item?id=27728287) [Yeti 2022 not furnishing entries for STH 65569149](https://groups.google.com/a/chromium.org/g/ct-policy/c/PCkKU357M2Q/?pli=1) ## CAPTCHA [DOOM Captcha | Hacker News](https://news.ycombinator.com/item?id=27264988) [Doom Captcha (2021) | Hacker News](https://news.ycombinator.com/item?id=39858750) [DOOM Captcha - Captchas don't have to be boring](https://vivirenremoto.github.io/doomcaptcha/) [CAPTCHAs don't prove you're human - they prove you're American (2017) | Hacker News](https://news.ycombinator.com/item?id=25226805) [CAPTCHAs don't prove you're human - they prove you're American - Terence Eden's Blog](https://shkspr.mobi/blog/2017/11/captchas-dont-prove-youre-human-they-prove-youre-american/) [HBO Max new Captcha system | Hacker News](https://news.ycombinator.com/item?id=36118707) [meg. on X: "this is absolutely hilarious. https://t.co/NyHmldEaoJ" / X](https://twitter.com/wondermeg_/status/1662454909353033730) [An Empirical Study and Evaluation of Modern CAPTCHAs | Hacker News](https://news.ycombinator.com/item?id=38670465) [[2307.12108] An Empirical Study & Evaluation of Modern CAPTCHAs](https://arxiv.org/abs/2307.12108) [Retrieving your browsing history through a CAPTCHA | Hacker News](https://news.ycombinator.com/item?id=30569396) [Retrieving your browsing history through a CAPTCHA](https://varun.ch/history) [Humans Not Invited](http://www.humansnotinvited.com/) parodic site for captcha haters ## certificates - Let's Encrypt [Let's Encrypt makes certs for 30% of web domains | Hacker News](https://news.ycombinator.com/item?id=20898094) [Let's Encrypt makes certs for almost 30% of web domains! RC4/3DES/TLS 1.0 are still used! Certs for hundreds of years! Analyzing hundreds of millions of SSL handshakes | Little Short Bulletins](https://www.leebutterman.com/2019/08/05/analyzing-hundreds-of-millions-of-ssl-connections.html) [Let's Encrypt Has Issued a Billion Certificates | Hacker News](https://news.ycombinator.com/item?id=22434466) [Let's Encrypt Has Issued a Billion Certificates - Let's Encrypt](https://letsencrypt.org/2020/02/27/one-billion-certs.html) [Shortening the Let's Encrypt chain of trust | Hacker News](https://news.ycombinator.com/item?id=36673793) [Shortening the Let's Encrypt Chain of Trust - Let's Encrypt](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html) [More Memory Safety for Let's Encrypt: Deploying ntpd-rs | Hacker News](https://news.ycombinator.com/item?id=40778594) [More Memory Safety for Let’s Encrypt: Deploying ntpd-rs - Let's Encrypt](https://letsencrypt.org/2024/06/24/ntpd-rs-deployment.html) ## certificates [Cracking Meta's Messenger Certificate Pinning on macOS | Hacker News](https://news.ycombinator.com/item?id=39609336) [Cracking Meta's Messenger Certificate Pinning on macOS - Texts.blog, the blog of Texts.com](https://texts.blog/2024/02/20/cracking-metas-messenger-certificate-pinning-on-macos/) [Entrust Certificate Distrust | Hacker News](https://news.ycombinator.com/item?id=40812833) [Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html) [Platform certificates used to sign malware | Hacker News](https://news.ycombinator.com/item?id=33823946) [100 - Platform certificates used to sign malware - apvi](https://bugs.chromium.org/p/apvi/issues/detail?id=100) ## certificates - SSH [If you're not using SSH certificates you're doing SSH wrong (2019) | Hacker News](https://news.ycombinator.com/item?id=30788544) [If you're not using SSH certificates you're doing SSH wrong](https://smallstep.com/blog/use-ssh-certificates/) ## certificates - SSL [James Coyle](https://www.jamescoyle.net/how-to/1891-git-ssl-certificate-problem-caused-by-self-signed-certificates) Git SSL Certificate Problem Caused By Self Signed Certificates [Jeff Jones](http://outofmyhead.olssonandjones.com/2017/12/02/wget-cant-execute-ssl_helper/) (2017) `wget: can't execute 'ssl_helper': No such file or directory wget: error getting response: Connection reset by peer` error happening in alpine container 3.5.2. seem to be as design... [docker-library/busybox/issues/25](https://github.com/docker-library/busybox/issues/25) [Deb Shinder](http://techgenix.com/SSL-Acceleration-Offloading-Security-Implications/) SSL Acceleration and Offloading: What Are the Security Implications? ## certificates - SSL - OpenSSL [OpenSSL 3.0.7 fixes X.509 email address buffer overflows | Hacker News](https://news.ycombinator.com/item?id=33422837) [CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog](https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/) [Stack Overflow](https://stackoverflow.com/a/31552829/2309958) File encryption with OpenSSL and Why you should use GPG instead [John Herbert](http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/) (2015) Telling OpenSSL About Your Root Certificates / for *Nix and OS X ## credentials - MSFT [The Microsoft MFA system almost brought me to a nervous breakdown | Hacker News](https://news.ycombinator.com/item?id=28834260) [The efficiency of Microsoft. Or how the Microsoft MFA system almost brought me to a complete nervous breakdown in under 24 hours. | by Konstantin Gizdov | Medium](https://kgizdov.medium.com/the-efficiency-of-microsoft-e50ea81f69f5) [Microsoft ruined passwords, now aims for a passwordless future | Hacker News](https://news.ycombinator.com/item?id=28598894) [Microsoft Ruined Passwords, Now Aims for a Passwordless Future - Purism](https://puri.sm/posts/microsoft-ruined-passwords-now-aims-for-a-passwordless-future/) [Everything authenticated by Microsoft is tainted | Hacker News](https://news.ycombinator.com/item?id=37702095) [Karl Voit :emacs: :orgmode:: "After basically the whole #Mic…" - graz.social](https://graz.social/@publicvoit/111147782761723981) [Git Credential Manager Core: Building a universal authentication experience | The GitHub Blog](https://github.blog/2020-07-02-git-credential-manager-core-building-a-universal-authentication-experience) [Hackers have found a clever new way to steal your Microsoft 365 credentials : cybersecurity](https://old.reddit.com/r/cybersecurity/comments/tx0y74/hackers_have_found_a_clever_new_way_to_steal_your) ## digital signatures [eSignature Beta for Google Docs and Google Drive | Hacker News](https://news.ycombinator.com/item?id=37079534) [Google Workspace Updates: Introducing eSignature for Google Docs and Google Drive: launching to open beta for Workspace Individual subscribers, launching to beta for Google Workspace customers](https://workspaceupdates.googleblog.com/2023/08/esignature-google-docs-google-drive.html) ## DKIM keys [Ok Google: please publish your DKIM secret keys | Hacker News](https://news.ycombinator.com/item?id=25113482) [Ok Google: please publish your DKIM secret keys - A Few Thoughts on Cryptographic Engineering](https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/) ## GPG [Switching git back to GPG signing](https://sethmlarson.dev/switching-git-back-to-gpg-signing) [Seth Michael Larson](https://sethmlarson.dev/) ## identity and access management [Keycloak - Open-source identity and access management interview | Hacker News](https://news.ycombinator.com/item?id=36384636) [Console #162 - Interview with Michal of Keycloak - Open Source Identity and Access Management](https://console.substack.com/p/console-162#%C2%A7interview-with-michal-of-keycloak-open-source-identity-and-access-management-for-modern-applications) ## identity and access management - security policies [Security.txt file now mandatory for Dutch government websites | Hacker News](https://news.ycombinator.com/item?id=36149004) [Security.txt now mandatory for Dutch government websites](https://netherlands.postsen.com/trends/198695/Securitytxt-now-mandatory-for-Dutch-government-websites.html) ## JWT [Should I use JWTs for authentication tokens? | Hacker News](https://news.ycombinator.com/item?id=40491694) [Should I Use JWTs For Authentication Tokens? - Tinker, Tamper, Alter, Fry](https://blog.ploetzli.ch/2024/should-i-use-jwt-for-authentication/) ## OAuth [Google OAuth is broken (sort of) | Hacker News](https://news.ycombinator.com/item?id=38720544) [Google OAuth is Broken (Sort Of) ◆ Truffle Security Co.](https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of) [Attack campaign involving stolen OAuth tokens issued to third-party integrators | Hacker News](https://news.ycombinator.com/item?id=31046791) [Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators - The GitHub Blog](https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/) [Oauth2 support for GMail | Hacker News](https://news.ycombinator.com/item?id=31420433) [Pegasus Mail Newsflashes](https://www.pmail.com/newsflash.htm) [Microsoft Account's OAuth tokens leaking via open redirect in Harvest | Hacker News](https://news.ycombinator.com/item?id=37973937) [Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App | Hacker News](https://news.ycombinator.com/item? id=37973937) [Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App](https://eval.blog/microsoft-account-token-leaks-in-harvest) ## passkeys [Passkeys: The beginning of the end of the password | Hacker News](https://news.ycombinator.com/item?id=35801392) [Passkeys: What they are and how to use them](https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/) [Passkeys will come at a cost | Hacker News](https://news.ycombinator.com/item?id=36712497) [Firstyear's blog-a-log](https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/) [Passkeys are now enabled by default for Google users | Hacker News](https://news.ycombinator.com/item?id=37832585) [Passkeys are now enabled by default for Google users](https://blog.google/technology/safety-security/passkeys-default-google-accounts/) [Passkeys: A shattered dream | Hacker News](https://news.ycombinator.com/item?id=40165998) [Firstyear's blog-a-log](https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/) [There's no need to change passwords if they're robust, unique and not breached | Hacker News](https://news.ycombinator.com/item?id=30554714) [Never Change Your Password - TidBITS](https://tidbits.com/2022/03/03/never-change-your-password/) ## password and secrets manager [Your mobile password manager might be exposing your credentials | TechCrunch](https://techcrunch.com/2023/12/06/your-mobile-password-manager-might-be-exposing-your-credentials/) [How to Outsource Your Online Security with 1Password, Authy, and Privacy.com](https://www.freecodecamp.org/news/outsourcing-security-with-1password-authy-and-privacy-com) [Password Management for Large Enterprise](https://old.reddit.com/r/networking/comments/15gh8yv/password_management_for_large_enterprise/) [KeePassXC Debian maintainer has removed all network features | Hacker News](https://news.ycombinator.com/item?id=40320166) [Team KeePassXC: "Debian Users - Be aware the maintainer of the Kee…" - Fosstodon](https://fosstodon.org/@keepassxc/112417353193348720) [Apple unveils 'Passwords' manager app at WWDC 2024 | Hacker News](https://news.ycombinator.com/item?id=40636292) [Forget LastPass: Apple unveils 'Passwords' manager app at WWDC 2024 | ZDNET](https://www.zdnet.com/article/forget-lastpass-apple-unveils-passwords-manager-app-at-wwdc-2024/) [Fred Blaise](https://modernciso.com/2018/02/21/secrets-management-for-security-and-speed/) (2018) Secrets Management for Security and Speed [Daniel Aleksandersen](https://www.ctrl.blog/entry/migrating-to-bitwarden) (2018) Why I migrated from LastPass to Bitwarden ## password hashes [Hash Suite a program to audit security of password hashes](https://hashsuite.openwall.net/) ## passwords [I hate password rules | Hacker News](https://news.ycombinator.com/item?id=29239587) [Why I Hate Password Rules - Schneier on Security](https://www.schneier.com/blog/archives/2021/11/why-i-hate-password-rules.html) [Microsoft says mandatory password changing is "ancient and obsolete" (2019) | Hacker News](https://news.ycombinator.com/item?id=26863907) [Microsoft says mandatory password changing is "ancient and obsolete" | Ars Technica](https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/) [The Password Game | Hacker News](https://news.ycombinator.com/item?id=36493715) [The Password Game](https://neal.fun/password-game/) [ELI5: why is a password that uses numbers and letters stronger...](https://old.reddit.com/r/explainlikeimfive/comments/149z8k4/eli5_why_is_a_password_that_uses_numbers_and/) [Password guru regrets past advice - BBC News](https://www.bbc.com/news/technology-40875534) [I almost failed to search a 37 GB text file in under 1 millisecond | Hacker News](https://news.ycombinator.com/item?id=34020067) [Has your password been pwned? Or, how I almost failed to search a 37 GB text file in under 1 millisecond (in Python) - death and gravity](https://death.andgravity.com/pwned) [Password may not contain: select, insert, update, delete, drop | Hacker News](https://news.ycombinator.com/item?id=39078372) [Password reset - ID portal](https://id.uni-lj.si/DigitalnaIdentiteta/PonastavitevGesla?culture=en-GB) ## privacy issues [Cryptographers solve decades-old privacy problem | Hacker News](https://news.ycombinator.com/item?id=38320675) [Cryptographers Solve Decades-Old Privacy Problem - Nautilus](https://nautil.us/cryptographers-solve-decades-old-privacy-problem-444899/) [Why printers add secret tracking dots (2020) | Hacker News](https://news.ycombinator.com/item?id=28023553) [Why printers add secret tracking dots](https://www.bbc.com/future/article/20170607-why-printers-add-secret-tracking-dots) ## private vs public keys [Where are public keys stored?](https://old.reddit.com/r/cybersecurity/comments/15jdg5t/where_are_public_keys_stored/) ## RSA [We updated our RSA SSH host key | Hacker News](https://news.ycombinator.com/item?id=35285390) [We updated our RSA SSH host key - The GitHub Blog](https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/) ## SASL XMSS [NLnet; SASL XMSS](https://nlnet.nl/project/SASL-XMSS) ## session expiration [Short session expiration does not help security | Hacker News](https://news.ycombinator.com/item?id=37173339) [Short session expiration does not help security](https://www.sjoerdlangkemper.nl/2023/08/16/session-timeout/) ## SMS MFA [Am I right in believing that SMS MFA is still flawed and shouldn't ever be used?](https://old.reddit.com/r/cybersecurity/comments/15q7ndt/am_i_right_in_believing_that_sms_mfa_is_still/) ## the significance of privacy, trust, and encryption [InternetWide.org // Rewriting the fragile future of the internet.](https://web.archive.org/web/20221201205001/http://internetwide.org) [Encrypting private data and private communications is now an ethical duty | Hacker News](https://news.ycombinator.com/item?id=37913256) [Encrypt. Now. - blog.tripu.info](https://blog.tripu.info/encrypt/) ## TPA [Don't use third party auth to sign in | Hacker News](https://news.ycombinator.com/item?id=25091420) [Never Use Google to Sign-In | Gurjeet Singh](https://gurjeet.singh.im/blog/never-use-google-to-sign-in) [Microsoft no longer signs Windows drivers for Process Hacker | Hacker News](https://news.ycombinator.com/item?id=28975856) [Microsoft no longer signs Windows drivers for Process Hacker | Born's Tech and Windows World](https://borncity.com/win/2021/10/23/microsoft-signiert-windows-treiber-fr-process-hacker-nicht-mehr/) [Username ending with MIME type format is not allowed | Hacker News](https://news.ycombinator.com/item?id=28535298) [Username ending with file extension is not allowed (#335278) · Issues · GitLab.org / GitLab · GitLab](https://gitlab.com/gitlab-org/gitlab/-/issues/335278) ## authentication and authorization [GitHub - casbin/awesome-auth: Software and Libraries for Authentication & Authorization & SSO & IAM](https://github.com/casbin/awesome-auth) [GitHub - warrant-dev/awesome-authorization: A curated list of information and resources about authorization.](https://github.com/warrant-dev/awesome-authorization) [GitHub - gitcommitshow/awesome-authentication: Resources to learn and implement authentication in your application](https://github.com/gitcommitshow/awesome-authentication) [Authentication vs Authorization - What's the Difference?](https://www.freecodecamp.org/news/whats-the-difference-between-authentication-and-authorisation) ## permissions [What Are User Permissions? Concepts, Examples, and Maintenance | Frontegg](https://frontegg.com/blog/user-permission) [Daniel Miessler](https://danielmiessler.com/study/unixlinux_permissions/) A Unix and Linux Permissions Primer ## 2FA [How to bypass Sprint/T-Mobile 2FA in under 5 minutes | Hacker News](https://news.ycombinator.com/item?id=28279326) [How to bypass Sprint/T-Mobile 2fa in under 5 minutes... : hacking](https://old.reddit.com/r/hacking/comments/kpeuj2/how_to_bypass_sprinttmobile_2fa_in_under_5_minutes/) [Imgur: The magic of the Internet](https://imgur.com/a/Ya169u4/) [Understanding the Three Factors of Authentication | Understanding the Three Factors of Authentication | Pearson IT Certification](https://www.pearsonitcertification.com/articles/article.aspx?p=1718488) ## 2FA - yubikey [How to Yubikey | Hacker News](https://news.ycombinator.com/item?id=35091768) [How to Yubikey: a configuration cheatsheet · debugging works! Code · Linux · Security](https://debugging.works/blog/yubikey-cheatsheet/) [GitHub - nozaq/awesome-yubikey: Curated list of awesome Yubikey resources, open source projects, tools and tutorials.](https://github.com/nozaq/awesome-yubikey) [How to Store an SSH Key on a Yubikey | Hacker News](https://news.ycombinator.com/item?id=31556130) [How to Store an SSH Key on a Yubikey - Xe Iaso](https://xeiaso.net/blog/yubikey-ssh-key-storage/) ## authorization - macos [Rich Trouton](https://derflounder.wordpress.com/2014/02/16/managing-the-authorization-database-in-os-x-mavericks/) (2014) Managing the Authorization Database in OS X Mavericks and probably for later versions too ## CA [step-ca Certificate Authority](https://github.com/smallstep/certificates) build your own certificate authority (CA) using open source step-ca. ## CAPTCHA [GitHub - ZYSzys/awesome-captcha: Curated list of awesome captcha libraries and crack tools.](https://github.com/ZYSzys/awesome-captcha) ## certificates [Arun GP](https://myonlineusb.wordpress.com/2011/06/19/what-are-the-differences-between-pem-der-p7bpkcs7-pfxpkcs12-certificates/) (2011) differences between PEM, DER, P7B/PKCS#7, PFX/PKCS#12 certificates [University of Wisconsin KB](https://kb.wisc.edu/middleware/page.php?id=4064) Verifying that a Private Key Matches a Certificate [University of Wisconsin KB](https://kb.wisc.edu/middleware/page.php?id=4543) Verifying that a Certificate is issued by a CA [Certificates and PKI](https://smallstep.com/blog/everything-pki.html) (2018) Everything you should know about certificates and PKI but are too afraid to ask ## certificates - SSL [HTTPS on Stack Overflow](https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/) this is the story of a long journey regarding the implementation of SSL. [Nick Craver Software Imagineering](https://nickcraver.com/) software developer and systems administrator for Stack Exchange. [DigiCert](https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm) Using Multiple SSL Certificates in Apache with One IP Address [SSL Shopper](https://www.sslshopper.com/special-ssl-certificate-types.html) Special Types of SSL Certificates ## certificates - SSL - OpenSSL [If OpenSSL were a GUI | Hacker News](https://news.ycombinator.com/item?id=31697636) [If OpenSSL were a GUI](https://smallstep.com/blog/if-openssl-were-a-gui/) [Paul Heinlein](https://www.madboa.com/geek/openssl/) OpenSSL cookbook / command-line howto [Nick Burch](http://gagravarr.org/writing/openssl-certs/others.shtml) howtos for installing other people's certificates [Remy van Elst](https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html) Encrypt and decrypt files to public keys via the OpenSSL Command Line [LinuxConfig](https://linuxconfig.org/using-openssl-to-encrypt-messages-and-files-on-linux) Using OpenSSL to encrypt messages and files on Linux [Tom Dryer](http://tombuntu.com/index.php/2007/12/12/simple-file-encryption-with-openssl/) (2007) Simple File Encryption with OpenSSL [OpenSSL Certificate Authority](https://jamielinux.com/docs/openssl-certificate-authority/) build your own certificate authority (CA) using the OpenSSL tools. OpenSSL Certificate Authority / a guide to demonstrate how to act as your own CA using OpenSSL ## certificates - SSL-TLS [How's My SSL?](https://www.howsmyssl.com/) help a web server developer learn what real world TLS clients were capable of. [A short guide on Squid transparent proxy & SSL bumping - DEV Community](https://dev.to/suntong/a-short-guide-on-squid-transparent-proxy-ssl-bumping-k5c) [How do I verify that I have TLS/SSL connectivity to Duo's service?](https://help.duo.com/s/article/1336?language=en_US) [Decipher](https://duo.com/decipher) security news that informs and inspires. [Aptive](https://www.aptive.co.uk/blog/tls-ssl-security-testing/) guide for SSL / TLS penetration testing [ZyTrax](http://www.zytrax.com/tech/survival/ssl.html) Survival guides - TLS/SSL and SSL (X.509) Certificates [German Jaber](https://blog.talpor.com/2015/07/ssltls-certificates-beginners-tutorial/) (2015) SSL/TLS certificates beginner's tutorial [SSL Research](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) SSL and TLS Deployment Best Practices by SSL Labs. ## identity and access management [abhir9/awesome-identity-management: Awesome lists about Identity Management Solutions](https://github.com/abhir9/awesome-identity-management) [GitHub - kdeldycke/awesome-iam: Identity and Access Management knowledge for cloud platforms](https://github.com/kdeldycke/awesome-iam) [GitHub - posquit0/hugo-awesome-identity: Awesome Identity is a single-page Hugo theme to introduce yourself.](https://github.com/posquit0/hugo-awesome-identity) [AWS Identity and Access Management (IAM) - Explained With an Analogy](https://www.freecodecamp.org/news/aws-iam-explained) [AWS IAM Roles, a tale of unnecessary complexity | Hacker News](https://news.ycombinator.com/item?id=33566419) [AWS IAM Roles, a tale of unnecessary complexity | infosec.rodeo](https://infosec.rodeo/posts/thoughts-on-aws-iam/) ## JSON web tokens [What are JSON Web Tokens? JWT Auth Tutorial](https://www.freecodecamp.org/news/what-are-json-web-tokens-jwt-auth-tutorial) ## password and secrets manager [Can you use a free password manager, or must you pay? @ AskWoody](https://www.askwoody.com/2024/can-you-use-a-free-password-manager-or-must-you-pay/) ## password authentication [Non-interactive SSH password authentication | Hacker News](https://news.ycombinator.com/item?id=38762214) [Non-interactive SSH password authentication](https://vincent.bernat.ch/en/blog/2023-sshpass-without-sshpass)