• 0 Posts
  • 87 Comments
Joined 4 months ago
cake
Cake day: June 23rd, 2024

help-circle

  • I worked in software certification under Common Criteria, and while I do know that it creates a lot of work, there were cases where security has been improved measurably - in the hardware department, it even happened that a developer / manufacturer had a breach that affected almost the whole company really badly (design files etc stolen by a probably state sponsored attacker), but not the CC certified part because the attackers used a vector of attack that was caught there and rectified.

    It seemingly was not fixed everywhere for whatever reason… but it’s not that CC certification is just some academic exercise that gives you nothing but a lot of work.

    Is it the right approach for every product? Probably not because of the huge overhead power certified version. But for important pillars of a security model, it makes sense in my opinion.

    Though it needs to be said that the scheme under which I certified is very thorough and strict, so YMMV.













  • I was also with a provider that didn’t offer API access for the longest time. When they then increased prices, I switched, now paying a third of their asking price per year at a very good provider.

    I guess migrating is difficult if the provider doesn’t offer a mechanism to either dump the DNS to a file or perform a zone transfer (the later being part of the standard).

    Can only recommend INWX for domains, though my personal requirements aren’t the highest.




  • Also wildcard certificates are more difficult to do automated with let’s encrypt.

    They are trivial with a non-garbage domain provider.

    If you want EV certificates (where the cert company actually calls you up and verifies you’re the company you claim to be) you also need to go the paid route

    The process however isn’t as secure as one might think: https://cyberscoop.com/easy-fake-extended-validation-certificates-research-shows/

    In my experience trustworthyness of certs is not an issue with LE. I sometimes check websites certs and of I see they’re LE I’m more like “Good for them”

    Basically, am LE cert says “we were able to verify that the operator of this service you’re attempting to use controls (parts of) the domain it claims to be part of”. Nothing more or less. Which in most cases is enough so that you can secure the connection. It’s possibly even a stronger guarantee than some sketchy cert providers provided in the past which was like “we were able to verify that someone sent us money”.



  • I, a systems guy, have a better time learning go than nix packages.

    Go is a simple and elegant imperative language (that does come with its downsides); Nix the DSL is a functional language which requires a different way of thinking. Systems usually are operated imperatively, so it’s normal that you’d find it easier.

    It’s not an easy language at all and one might ask if another one wouldn’t do the job better, which is what Guix System kind of explores, but its (nix) design goals make a lot of sense.