banner
filippo.abyssdomain.expert
Filippo Valsorda
@filippo.abyssdomain.expert
23K followers 500 following 1.8K posts
RC F'13, F2'17 Cryptogopher / Go cryptography maintainer Professional open source maintainer https://filippo.io / https://github.com/FiloSottile https://mkcert.dev / https://age-encryption.org https://sunlight.dev / https://filippo.io/newsletter
filippo.io
Posts Media Videos Starter Packs
Reposted by Filippo Valsorda
lizthegrey.com
Liz Fong-Jones (方禮真) @lizthegrey.com · 4d
if the moderators were not applying discretion here a bunch of y'all who are yelling at and harassing Jay would be permanently gone.

the issue with people being struck for ridiculing Kirk's death was not a trans specific thing, so let's not pretend it was.
2 17 180
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 3d
So you hate waffles?
1 13
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 5d
Sorry I wasn’t sure who owns frontend now! Yeah I think Mike already has an idea of how to implement it and just wants a nod that a PR would be welcome.
1 2
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 5d
Hey @pfrazee.com is this something you’d merge if they submitted a PR? CourtListener previews would be nice!
1 1
Reposted by Filippo Valsorda
samwho.dev
Sam Rose @samwho.dev · 6d
I so want this to succeed. You’re telling me I can create an app and the whole persistence layer is owned by the user, and creates this immutable web of data that can be riffed on by other apps even when the original app is gone?

I need to carve time out to build something in the atmosphere.
danabra.mov
dan @danabra.mov · 6d
i wrote down the process of resolving an at:// URI step by step. turns out, it's a great way to learn how the AT protocol works!
Where It's at:// — overreacted
From handles to hosting.
overreacted.io
3 13 140
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
Which ones that are not already listed?
1
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
Trusted Publishing, which is a fancy name for OIDC from the CI identity.
2 5
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
No, it is generally very hard to extract a passkey, and it's not a bearer token. (You should not use a passkey authenticator that makes it easy for an attacker to extract the secret.)
6
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
Oooooh good catch!
1
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
That's the point of the survey I am writing yeah ^^

It's actually phishing-resistant auth, no more long-lived credentials, and read-only CI. All very doable.
1 1 6
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
Here are the 2024/2025 supply chain compromises I found.

XZ Utils
Shai-Hulud
Nx S1ingularity
npm debug/chalk/color
polyfill[.]io
MavenGate
eslint-config-prettier
[@]solana/web3.js
rustfoundation[.]dev
React Native ARIA & gluestack-ui
lottie-player
rand-user-agent

Am I missing any?
4 6 30
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 6d
Just upgraded my Cert Spotter subscription to monitor Certificate Transparency for all Geomys domains. Your business probably should, too!

It's good to know we'll get notified if any CA is compromised and/or mis-issues a certificate, but also funding @agwa.name's work benefits all the WebPKI.
Cert Spotter - Certificate Transparency Monitor - Detect Security and Availability Problems
Skip to content
sslmate.com
2 12
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 7d
Thank you! I have a narrower definition of compromise, I am interested in attacks that gain access to previously honest dependencies, but there was at least one in that list I didn't have yet.
2
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 7d
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.

Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.

</rant>
8 16 88
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 8d
I just had someone ask me who’s my employer because they were not getting their way.

Not their lucky day.
5 98
Reposted by Filippo Valsorda
mikespecter.com
Michael A. Specter 👻 @mikespecter.com · 9d
Today, my research group @ Georgia Tech released a paper on vulnerabilities in Tile --- the second largest device finding network after Apple's AirTags.

You can read about it in Wired, reporting by @kimzetter.bsky.social!
www.wired.com/story/tile-t...
1 34 60
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 9d
This might have been one of my most niche PSAs, but there is a high-level takeaway!

I am working on a Geomys standard of care, and I want it to include having no persistent long-lived credentials for the repos we maintain.

Dog fooding it before I bring it to other Geomys maintainers.
1 22
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 9d
Anyway, these commands should replace ~/.gitcookies.

brew install git-credential-oauth
git config --add credential.helper ""
git config --add credential.helper "cache --timeout 21600"
git config --add credential.helper oauth

You can revoke the old ones at myaccount.google.com/connections?....
1 18
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 9d
Spent a couple evenings reverse engineering how Gerrit auth works, concluded it's OAuth2, started building a proxy to replace the long-lived ~/.gitcookies file...

Then found github.com/hickford/git... which works beautifully out of the box. Oh well.
GitHub - hickford/git-credential-oauth: A Git credential helper that securely authenticates to GitHub, GitLab and BitBucket using OAuth.
A Git credential helper that securely authenticates to GitHub, GitLab and BitBucket using OAuth. - hickford/git-credential-oauth
github.com
1 6 45
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 9d
> register a websocket from daemon to server

As in, open a random available port, send it to the server, then the server tells the web page to use that port?
2 1
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 9d
What's the modern answer to handing off information from a web page to a local daemon?

Binding to a fixed localhost port risks port conflicts. Custom protocol handlers look like a massive pain on Linux.

This is for an OAuth flow, so I guess a fixed localhost port lets me avoid a jump off a domain.
6 12
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 12d
Eeeeh the more time goes on the less I agree.

Compressed or uncompressed point encoding, DSA or Schnorr, and randomized/deterministic/hedged are all orthogonal to the underlying curve.

The one thing that isn't is the cofactor, and P curves are delightfully of prime order.
6
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 12d
Also decompressing effectively forces point validation, which is otherwise a security load bearing forgettable extra step.
1 11
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 12d
What’s wrong with pseudonyms? Of all fields, cryptography has definitely seen contributions from pseudonymous people.
1 4
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 12d
Hah. Now I’m imagining @crawshaw.io hacking on sketch on the tiny copilot seat of a Piper Archer.
1