mastodon.design is one of the many independent Mastodon servers you can use to participate in the fediverse.
A small instance for and by people who make things! We stand for an open, independent, sustainable, inclusive, and accessible web.

Administered by:

Server stats:

337
active users

#domainnames

1 post1 participant0 posts today
Replied in thread

@zbrando @morrick @ueeu You’re not wrong.

But, looking ahead, we can do so much better than the commercial domain name system.

Commercial domain names are a gold standard example of artificial scarcity. A domain name registrar cost next to nothing to operate. It’s tiny rows of text in a database. It could easily be free to own your own domain name – a huge part of what constitutes identity – on the Internet.

In fact, a non-commercial service has been operational for 24 years. It would be trivial to regulate that browsers in the EU implement support for it and work together with, say, @letsencrypt to ensure it can handle TLS.

That would be an amazing addition to the commons and a future-proof way forward that we could lead on with next to no investment.

Continued thread

@raphael New netart piece migration: evasive.tech costs now 100+€ per year. I can’t afford that! The new domain name is oo8.be/evasive.tech
It makes me sad, this project means a lot to me, plus I had a printed press coverage of this project (Liberation), it has been exhibited several times, and I will have no way to redirect. It is insane how fragile everything is online. Host carefully, or learn not to let things go.
#domainnames #netart

oo8.beevasive.tech

Telefonie+websites: spoofing-risico

Zojuist heb ik security.nl/posting/874752/Tel (*) een stuk over bankhelpdeskfraude, en andere vormen van online oplichting, gepubliceerd.

Mijn advies: kijk in elk geval naar de hoge tabel onderin dat stuk met namen van nepwebsites gericht op de Nederlandstalige markt, en leer daarvan.

De mogelijkheden voor cybercriminelen om te variëren met "lijkt op" domeinnamen zijn bijna eindeloos. En deze groep cybercriminelen lijkt zich tot ".com" TLD's (Top Level Domains) te beperken.

Het is overigens ietsje lastiger om een nepsite met een ."nl" TLD dan bijv. ".com" te registreren. Belangrijker, als dat lukt worden ".nl" nepsites vaak, na een paar dagen, "uit de lucht gehaald". Maar je zal maar opgelicht worden in die paar dagen.

(*) Mocht de Redactie van security.nl(waar ik geen enkele andere relatie mee heb dan daar al jaren een account te hebben) ook deze bijdrage van mij verwijderen, een gearchiveerde versie (met nog 2 typfoutjes er in) vindt u in archive.is/7NjIC.

Meer info in de Alt tekst van onderstaand plaatje.

I am going to let go the domain name snow-on-gpu.online because it is too expensive. I refuse to pay so much for an art piece and will reconsider buying domain names for new projects in the future. After some thoughts I think this is a form of fetishism that refers to nothing but an expensive supermarket of words.
Related subject post.lurk.org/@raphael/1134303
#netart #domainNames

snow-on-gpu.onlinesnow on GPUSnow on GPU by Raphaël Bastide 2021

EDIT: It is a .com domain, not .com.au

Domain name help please! A client of mine registered their .com.au domain with an obscure registrar who they can no longer contact via phone or email. They are in Malaysia, I think? Anyway, the domain is now expired and their emails are no longer working. How can they get their domain back from the registrar? How long do they need to wait until the old registrar releases the domain so she can register with someone local? #domainNames

If you're wanting to create your own website or online service, you will probably need to buy a domain name at some point. (Domain names are things like "wikipedia.org")

I've done a beginner's guide to domain names, specifically aimed at non-technical people who want to get started with making their own online things:

➡️ growyourown.services/a-beginne

If you have any questions, corrections or comments feel free to add them in the replies 🙂

growyourown.servicesA beginner’s guide to creating and using your own domain name – Grow Your Own Services

Firefox on Android to steal more space from the address bar.

I never use the Home button (at the left, outside of the address bar). Why is it not in the menu behind ⋮ (where "Bookmarks" is hidden)?

And now I sometimes get to see *two* addtional icons *within* the address bar.

That is, while the most relevant part (to the right, including the TLD) of overly long domain names is hidden by Firefox anyway.

I don't understand why such decisions are made.

The first two images below show a pointless domain name (probably used by a parking service for domain name washing), but you get the point.

In the third image I cannot see whether this is the real moenchengladbach.de website, or something like "moenchengladbach.de.whatever.pages.dev". This makes users of Firefox on Android more vulnerable to phishing.

See also infosec.exchange/@ErikvanStrat why people get phished and how to fix (not only) this problem.

Opinions?

Replied in thread

W.r.t. password managers (pw mgrs):

1) Make sure that you *NEVER* forget your master password.

2) Make an *OFFLINE* backup of the (encrypted) pw database after each modification. For example, rotate between multiple USB storage media.

3) Use a pw mgr that can generate strong (random, long, unguessable) passwords. Use that functionality to generate a unique pw for each account.

LAST BUT NOT LEAST
4) At least on mobile devices, configure the OS and pw mgr to locate your credentials *automatically* based on the domain name of the website you're visiting (using "autofill", which lets the OS pass the domain name –as used by the browser– to the pw mgr).

EXAMPLE WHY
If you receive an email (with SPF, DKIM and DMARC all fine) from:

    whomever@circle-ci.com

that instructs you to revalidate your 2FA settings in, e.g.:

    https:⧸⧸circle-ci.com/revalidate

Then a properly configured pw mgr will not come up with ANYTHING - because the record is for (without the dash):

    https:⧸⧸circleci.com

The deja vu after the 2022 attack (github.blog/news-insights/comp), described in discuss.circleci.com/t/circlec, is still alive and kicking since March this year (see crt.sh/?q=circle-ci.com and virustotal.com/gui/domain/circ). The fake site even looks better than the original one (I don't know whether it is actually malicious, or will just warn users who attempt to log in).

NOTE: if your pw mgr does not find a matching record in the pw mgr database, do NOT manually locate the "circleci.com" record. If you do: do NOT autofill or copy/paste your credentials for https:⧸⧸circleci.com to https:⧸⧸circle-ci.com! Using those creds, the fake site may immediately log in to the authentic website AS YOU - pwning your account.

WHAT I'M USING
I'm using KeePassium on iOS and KeePassDX on Android; they work just fine (disclaimer: I'm not in any way related to their authors, and do no warrant their reliability).

@steelefortress

The GitHub Blog · Security alert: new phishing campaign targets GitHub usersOn September 16, GitHub Security learned that threat actors were targeting GitHub users with a phishing campaign by impersonating CircleCI to harvest user credentials and two-factor codes. While GitHub itself was not affected, the campaign has impacted many victim organizations.

Recently Google wrote the following *nonsense*:

<<< Certification Authorities (CAs) serve a privileged and trusted role on the Internet that underpin encrypted connections between browsers and websites. With this tremendous responsibility blah blah blah >>> security.googleblog.com/2024/0

**NO**! CA's and certificates DO NOT underpin encrypted connections!

And it's tremendously IRRESPONSIBLE to let every internet user, given a domain name, somehow (typically impossible) figure out whether a given domain name does, or does NOT, belong to the party that they were made to believe it belongs to.

Back to CA's and certificates: it is a PLAIN LIE that a certificate is required to encrypt a connection. For example, Whatsapp and Signal don't need them for E2EE, and your WiFi at home (unfortunately) doesn't use a certificate.

And in TLSv1.3, the connection is encrypted FIRST, *then* the server sends their certificate to the browser (together with proof of possession of a private key, which is exclusively associated to a public key in the certificate).

In fact, since the use of "forward secrecy" [1] in https, server certificates exist ONLY to *AUTHENTICATE* servers.

Authenticating means providing proof of identity; the primary purpose of that process is to PREVENT IMPERSONATION. Which is step one, before step 2 (encryption), if you don't want exchanged data to fall into the wrong hands and/or to be maliciously manipulated.

However, a certificate that ONLY identifies a server by its (DNS) domain name (which is a world-wide unique *pseudonym* for an IP-address), such as (I inserted a space to prevent accidental opening):

 (1) info-bunq. cc

 (2) bunq-com.aiiaclient. com

 (3) verificatie-online-bunq-nl. com

makes it IMPOSSIBLE for internet users to distinguish between fake and real websites - in particular because FAKE webpages are usually indistinguishable from the ones on REAL websites.

Note: bunq is a European bank with a lot of recent phishing victims (search for 'bunq scam').

Phishing has become an ENORMOUS world wide problem, costing individuals and societies LOTS of money. Unfortunately, EVERYTHING about server certificates and the way browsers handle them, is extremely disappointing. It makes phishing "a piece of cake" - and will keep doing so if we let Google and other big tech continue to undermine user trust in the internet.

By the way, of the three "bunq" domain names that I mentioned, (1) and (3) are malicious (see resp. virustotal.com/gui/domain/info and virustotal.com/gui/domain/veri); (2), bunq-com.aiiaclient.com,(currently unreachable) is NOT malicious.

Interestingly, (2) even has a QWAC, a "Qualified Website Authentication Certificate" (en.wikipedia.org/wiki/Qualifie). That certificate (for "bunq-com.aiiaclient.com") can be seen here: crt.sh/?id=12752024628&opt=ocs

IMO it is INCREDIBLY STUPID of both bunq and the certificate supplier, QuoVadis Trustlink B.V., to hand out a QWAC to a third party [2], notably one who uses stupid domain names.

Furthermore, why do QWAC's not contain the full address details and, if available, the chamber of commerce (Dutch: KVK) registration number of an organization? And why do we get to see lots of gibberish if we inspect certificates - if that is possible at all? We're HUMAN's, remember?

—————————————————————
We need and deserve a human-friendly and safer internet!
—————————————————————

More info about "why https instead of http" and certificates: infosec.exchange/@ErikvanStrat

[1] Published in 1976: en.wikipedia.org/wiki/Diffie%E

[2] See "yourname-com.aiiaclient.com" in developer.mastercard.com/open-

Cc: @agl , @Tarah , @ScottHelme , @dangoodin

#Google#GTS#Chrome

It was 13 years ago when I registered fourtonfish.com, which I've used as my internet home for the following 11 years, before switching to stefanbohacek.com.

How did you pick the domain name for your personal website?

Like most web developers, I own a handful of #domainnames , and harbor a (likely unrealistic) belief I'll develop them into real sites one day

Received an offer for one of my best names that was just too much to pass up, so I'm in the process of selling it

Comes at the right time and should subsidize my "stupid domain name stash" cost for a few more years 😂

(FYI - before I get techbro manplained to death, I have sold a domain name or two previously and know my way around the landscape...)