hannob (u/hannob) - Readit News

hannob commented on Rolling the dice with CSS random() webkit.org/blog/17285/rol... · Posted by u/zdw

hannob · 5 days ago

Having seen too many "this randomness function was never meant to be used for security, but people use it for security anyway" vulnerabilities in the past:

Can we PLEASEPLEASEPLEASE have this secure by default from the beginning?

hannob commented on Show HN: Anchor Relay – A faster, easier way to get Let's Encrypt certificates anchor.dev/relay... · Posted by u/geemus

benburkert · 9 days ago

It does not.

Anchor never see sees your private keys for certificates.

We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

We have a more technical overview of how this works in our docs: https://anchor.dev/docs/public-certs/acme-relay

hannob · 9 days ago

> We hold an ACME account key on your behalf with the CA, but we cannot use it impersonate your domain or decrypt traffic.

That makes no sense whatsoever. If you have an ACME account key for my domain, of course you can use it to impersonate my domain. You just need to create another certificate. (Which I could detect, but if I know how to do that, I'm probably not going to need your service anyway.)

hannob commented on OpenSSH Post-Quantum Cryptography openssh.com/pq.html... · Posted by u/throw0101d

pilif · 18 days ago

In light of the recent hilarious paper around the current state of quantum cryptography[1], how big is the need for the current pace of post quantum crypto adoption?

As far as I understand, the key material for any post quantum algorithm is much, much larger compared to non-quantum algorithms which leads to huge overheads in network traffic and of course CPU time.

[1]: https://eprint.iacr.org/2025/1237

hannob · 18 days ago

> As far as I understand, the key material for any post quantum algorithm is much, much larger compared to non-quantum algorithms

This is somewhat correct, but needs some nuance.

First, the problem is bigger with signatures, which is why nobody is happy with the current post quantum signature schemes and people are working on better pq signature schemes for the future. But signatures aren't an urgent issue, as there is no "decrypt later" scenario for signatures.

For encryption, the overhead exists, but it isn't too bad. We are already deploying pqcrypto, and nobody seems to have an issue with it. Use a current OpenSSH and you use mlkem. Use a current browser with a server using modern libraries and you also use mlkem. I haven't heard anyone complaining that the Internet got so much slower in recent years due to pqcrypto key exchanges.

Compared to the overall traffic we use commonly these days, the few extra kb during the handshake (everything else is not affected) doesn't matter much.

hannob commented on Solar power has begun to transform the world’s energy system newyorker.com/news/annals... · Posted by u/dmazin

pydry · 2 months ago

It'll probably be fulfilled in 3 stages

1) Gas peakers - where every kilowatt hour delivered by solar or wind is just a kilowatt hour of gas that would otherwise have been burned. We are generally still here - still burning gas while it's sunny and windy.

2) Pumped storage and batteries gets us to 98% carbon free grids with ~5 hours of storage with 90% roundtrip efficiency - https://reneweconomy.com.au/a-near-100-per-cent-renewables-g...

(98%/5 hours is for australia and will vary for different countries but probably not wildly).

3) Syngas fills in that last 2-5% with ~50% roundtrip efficiency. Every kilowatt hour used in those 5% times - those dark, windless nights will be quite expensive although, counterintuitively still cheaper than an every kilowatt hour generated by a nuclear power plant - https://theecologist.org/2016/feb/17/wind-power-windgas-chea...

3 and to some extent 2 will require natural gas to be prohibited or taxed heavily.

hannob · 2 months ago

> 3) Syngas fills in that last 2-5%

Just one note, I believe what you mean is some form of gas made from renewables, most likely hydrogen.

"Syngas" is a term that has a relatively specific meaning in the chemical industry, notably it is a gas mixture of mostly Carbon Monoxide and Hydrogen. I do not think that this is what you mean.

hannob commented on The original LZEXE (A.K.A. Kosinski) compressor source code has been released clownacy.wordpress.com/20... · Posted by u/elvis70

hannob · 2 months ago

That brings back some memories...

Back in the 90s, there was a whole scene around exe/com compression and protection tools. ("Protection" in the sense that people figured out if they compress their executables, that also mean you cannot simply modify strings in them any more, and that was expanded to all kinds of anti-debugging protection. However, it never lasted long until the next unpacker was able to break it.)

I never acquired the skills to write such tools myself, but I wrote a detection tool and ran a mailing list.

Or in other wors, in case you were around at that time: I'm the author of chkexe and ran the exe mailing list.

hannob commented on Germany and Italy pressed to bring $245B of gold home from US ft.com/content/e39390cc-e... · Posted by u/cempaka

SuperShibe · 2 months ago

The Germans in this article all appear to be aligned to either BSW (populist far-left, pro-Russia, anti-US) or AfD (populist far-right, pro-Russia). BSW wasn't even elected into the parliament and AfD, while being part of the parliament, has virtually no power due to not being part of the government coalition and all other parties sharing an informal agreement to not pass legislations with the help of AfD.

What I'm trying to say is that these two do not represent the German political landscape at all. They also, while on different ends of the left-right-spectrum, both only represent the pro-Russian minority of the German political landscape. This is not a debate happening in Germany right now and no other party has expressed support of any position.

hannob · 2 months ago

> The Germans in this article all appear to be aligned to either BSW (populist far-left, pro-Russia, anti-US)

Picturing BSW as far-left, while not uncommon, strikes me always as very strange. While it's a bit unclear where to put them with their wild mixture of populism, the only reason they are by some seen as leftwing is because of the history of their founder. She was previously a member of the left party, but for many years, even while she still was a member of that party, has not held any views that could count as far-left.

The only reason some still put her in the far-left camp is that she was, looooong ago, a member of the communist platform in the PDS, the predecessor of the left party in Germany.

hannob commented on Show HN: Nxtscape – an open-source agentic browser github.com/nxtscape/nxtsc... · Posted by u/felarof

hannob · 2 months ago

Okay, maybe this is a stupid question, but: what is an agentic browser? You seem to assume that everyone knows what that means.

Is this a common and well-defined term that people use? I've never heard it.

It would appear to me from the context that it means something like "web browser with AI stuff tackled on".

hannob commented on DNS4EU for Public Is Available joindns4.eu/for-public... · Posted by u/todsacerdoti

falcor84 · 3 months ago

> The official EU Public DNS Resolver is basic-level protection that everyone should have. It is important to note, however, that most organisations and individuals likely require enhanced protection.

I'm confused - what "enhanced protection" do most individuals require that they aren't providing?

hannob · 3 months ago

It's a company selling this "enhanced protection". You need it, because otherwise, they wouldn't make money.

The whole thing looks like a PR stunt for an Infosec product. Just that they somehow convinced the EU to fund it.

hannob commented on AI Responses May Include Mistakes os2museum.com/wp/ai-respo... · Posted by u/userbinator

hannob · 3 months ago

"AI Responses May Include Mistakes" is really the one, single most important thing I want to shout into the whole AI debate.

It also should be the central issue - together with the energy/climate impacts - in every debate about AI ethics or AI safety. It's those two things that will harm us most if this hype continues unchecked.

hannob commented on There Is No Diffie-Hellman but Elliptic Curve Diffie-Hellman keymaterial.net/2025/05/2... · Posted by u/todsacerdoti

looofooo0 · 3 months ago

sha-1 in git was just supposed to catch corruption, it was never intended to be used for security.

hannob · 3 months ago

This is a justification that was made up after Git came under increasing criticism for its poor choise of a hash function after the shattered attack. It was already known that SHA-1 is weak before Git was invented.

The problem is... it doesn't line up with the facts.

Git has been using SHA-1 hashes for signatures since very early on. It also has claims in its documentation about "cryptographic security". It does not rigorously define what "cryptographic security" means, but plausibly, it should mean using a secure hash function without known weaknesses.