Feed aggregator

Article URL: https://sgnly.com

Comments URL: https://news.ycombinator.com/item?id=43498031

Points: 1

# Comments: 0

Article URL: https://collective.flashbots.net/t/intel-tdx-security-and-side-channels/3648

Comments URL: https://news.ycombinator.com/item?id=43498012

Points: 1

# Comments: 0

Posted by Chrome Root Program, Chrome Security Team

The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances provided by Transport Layer Security (TLS). Many of these initiatives are described on our forward looking, public roadmap named “Moving Forward, Together.”

At a high-level, “Moving Forward, Together” is our vision of the future. It is non-normative and considered distinct from the requirements detailed in the Chrome Root Program Policy. It’s focused on themes that we feel are essential to further improving the Web PKI ecosystem going forward, complementing Chrome’s core principles of speed, security, stability, and simplicity. These themes include:

• Encouraging modern infrastructures and agility
• Focusing on simplicity
• Promoting automation
• Reducing mis-issuance
• Increasing accountability and ecosystem integrity
• Streamlining and improving domain validation practices
• Preparing for a "post-quantum" world

Earlier this month, two “Moving Forward, Together” initiatives became required practices in the CA/Browser Forum Baseline Requirements (BRs). The CA/Browser Forum is a cross-industry group that works together to develop minimum requirements for TLS certificates. Ultimately, these new initiatives represent an improvement to the security and agility of every TLS connection relied upon by Chrome users.

If you’re unfamiliar with HTTPS and certificates, see the “Introduction” of this blog post for a high-level overview.

Multi-Perspective Issuance Corroboration

Before issuing a certificate to a website, a Certification Authority (CA) must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as "domain control validation" and there are several well-defined methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value’s presence has been published by the certificate requestor.

Despite the existing domain control validation requirements defined by the CA/Browser Forum, peer-reviewed research authored by the Center for Information Technology Policy (CITP) of Princeton University and others highlighted the risk of Border Gateway Protocol (BGP) attacks and prefix-hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical, as it was demonstrated that attackers successfully exploited this vulnerability on numerous occasions, with just one of these attacks resulting in approximately $2 million dollars of direct losses.

Multi-Perspective Issuance Corroboration (referred to as "MPIC") enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates. Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers. This has been observed as an effective countermeasure against ethically conducted, real-world BGP hijacks.

The Chrome Root Program led a work team of ecosystem participants, which culminated in a CA/Browser Forum Ballot to require adoption of MPIC via Ballot SC-067. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on MPIC as part of their certificate issuance process. Some of these CAs are relying on the Open MPIC Project to ensure their implementations are robust and consistent with ecosystem expectations.

We’d especially like to thank Henry Birge-Lee, Grace Cimaszewski, Liang Wang, Cyrill Krähenbühl, Mihir Kshirsagar, Prateek Mittal, Jennifer Rexford, and others from Princeton University for their sustained efforts in promoting meaningful web security improvements and ongoing partnership.

Linting

Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards. Linting ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication.

Linting can expose the use of weak or obsolete cryptographic algorithms and other known insecure practices, improving overall security. Linting improves interoperability and helps CAs reduce the risk of non-compliance with industry standards (e.g., CA/Browser Forum TLS Baseline Requirements). Non-compliance can result in certificates being "mis-issued". Detecting these issues before a certificate is in use by a site operator reduces the negative impact associated with having to correct a mis-issued certificate.

There are numerous open-source linting projects in existence (e.g., certlint, pkilint, x509lint, and zlint), in addition to numerous custom linting projects maintained by members of the Web PKI ecosystem. “Meta” linters, like pkimetal, combine multiple linting tools into a single solution, offering simplicity and significant performance improvements to implementers compared to implementing multiple standalone linting solutions.

Last spring, the Chrome Root Program led ecosystem-wide experiments, emphasizing the need for linting adoption due to the discovery of widespread certificate mis-issuance. We later participated in drafting CA/Browser Forum Ballot SC-075 to require adoption of certificate linting. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on linting as part of their certificate issuance process.

What’s next?

We recently landed an updated version of the Chrome Root Program Policy that further aligns with the goals outlined in “Moving Forward, Together.” The Chrome Root Program remains committed to proactive advancement of the Web PKI. This commitment was recently realized in practice through our proposal to sunset demonstrated weak domain control validation methods permitted by the CA/Browser Forum TLS Baseline Requirements. The weak validation methods in question are now prohibited beginning July 15, 2025.

It’s essential we all work together to continually improve the Web PKI, and reduce the opportunities for risk and abuse before measurable harm can be realized. We continue to value collaboration with web security professionals and the members of the CA/Browser Forum to realize a safer Internet. Looking forward, we’re excited to explore a reimagined Web PKI and Chrome Root Program with even stronger security assurances for the web as we navigate the transition to post-quantum cryptography. We’ll have more to say about quantum-resistant PKI later this year.

Article URL: https://www.newsweek.com/lightning-trigger-revealed-cosmic-ray-showers-2048517

Comments URL: https://news.ycombinator.com/item?id=43497978

Points: 1

# Comments: 0

Article URL: https://www.di.ens.fr/~fbach/ltfp_book.pdf

Comments URL: https://news.ycombinator.com/item?id=43497954

Points: 2

# Comments: 0

It's not working for everyone yet, but a company spokesperson says all subscribers should have access Thursday.

Article URL: https://www.washingtonpost.com/dc-md-va/2025/03/27/virginia-speed-limit-device/

Comments URL: https://news.ycombinator.com/item?id=43497943

Points: 2

# Comments: 0

Article URL: https://proxysniper.com/

Comments URL: https://news.ycombinator.com/item?id=43497936

Points: 1

# Comments: 1

Article URL: https://www.axios.com/2025/03/27/trump-palestinian-hamas-purge-colleges-protests

Comments URL: https://news.ycombinator.com/item?id=43497934

Points: 1

# Comments: 0

Article URL: https://techcrunch.com/2025/03/21/microsoft-is-exploring-a-way-to-credit-contributors-to-ai-training-data/

Comments URL: https://news.ycombinator.com/item?id=43497906

Points: 1

# Comments: 0

Article URL: https://github.com/fschutt/mystery-of-the-blend-backup

Comments URL: https://news.ycombinator.com/item?id=43497879

Points: 1

# Comments: 0

Article URL: https://medium.com/@okrutny/the-air-we-breathe-at-30-000-feet-measuring-cabin-co%E2%82%82-humidity-and-pressure-45427c7f03e5

Comments URL: https://news.ycombinator.com/item?id=43497874

Points: 3

# Comments: 1

Article URL: https://theonlinephotographer.typepad.com/the_online_photographer/2007/12/digicam-appreci.html

Comments URL: https://news.ycombinator.com/item?id=43497872

Points: 1

# Comments: 0

Article URL: https://thepennpost.com/2025/03/25/nicolas-casey-the-leader-of-the-leetcode-rebellion-an-interview-with-roy-lee/

Comments URL: https://news.ycombinator.com/item?id=43497848

Points: 10

# Comments: 1

Article URL: https://www.agweb.com/news/crops/renegade-colorado-farmer-pushes-deeper-unconventional-agriculture

Comments URL: https://news.ycombinator.com/item?id=43497837

Points: 2

# Comments: 0

Article URL: https://theconversation.com/wild-marmots-social-networks-reveal-controversial-evolutionary-theory-in-action-252710

Comments URL: https://news.ycombinator.com/item?id=43497829

Points: 1

# Comments: 0

Article URL: https://blogs.windows.com/windowsdeveloper/2025/03/27/announcing-babylon-js-8-0/

Comments URL: https://news.ycombinator.com/item?id=43497811

Points: 3

# Comments: 0

I examined the correlation between the Federal Reserve's Reverse Repo Operations which held as much as $2,300,000,000,000 in cash overnight for a small handful of institutions and, on the other hand, the S&P 500 index.

Correlation does not mean causation. Nonetheless, we can't rule out that the handful institutions put $2,300,000,000,000 in cash into the Reverse Repo Operations before slowly placing it in the S&P 500, except for when the bond and treasury markets gave favorable interest rates.

I believe that the two entities likely had a coincidence that either strongly moved together or in opposite direction for months at a time and these charts likely are meaningless. I would love to get some feedback and recommendations how to improve this analysis.

https://github.com/adam-s/reverse_repo_corr/blob/main/reverse.ipynb

Comments URL: https://news.ycombinator.com/item?id=43497808

Points: 1

# Comments: 0

Article URL: https://www.ox.ac.uk/news/2025-03-26-how-elephants-plan-journeys-new-study-reveals-energy-saving-strategies

Comments URL: https://news.ycombinator.com/item?id=43497805

Points: 1

# Comments: 0

dish is a lightweight, 0 dependency monitoring tool in the form of a small binary executable. Upon execution, it checks the provided sockets (which can be provided in a JSON file or served by a remote JSON API endpoint). The results of the check are then reported to the configured channels.

It started as a learning project and ended up proving quite handy. Me and my friend have been using it to monitor our services for the last 3 years.

We have refactored the codebase to be a bit more presentable recently and thought we'd share on here!

The currently supported channels include:

- Telegram

- Pushgateway for Prometheus

- Webhooks

- Custom API endpoint

https://github.com/thevxn/dish

Comments URL: https://news.ycombinator.com/item?id=43497792

Points: 4

# Comments: 0