Dirk

Dirk, 1 year ago

the lemmy.world guy had to upgrade servers at least twice during the boom

It’s their fault, though. You could either throw money at it to gain more and more power over users, or you embrace the federation and disable new registration at a certain amount of users.

Dirk, 1 year ago

Came here to say this.

Dirk, 1 year ago

That is a vulnerability, albeit a small one.

“Small one” is very wrong here. This is by far the largest gaping security hole in the whole specification.

Dirk, 1 year ago

I use selfhost.de (they register domains via united-domains for you) who are specialized on self-hosting in Germany and offer a wide variety of options on how to connect a domain using dynamic DNS.

Dirk, 1 year ago

It’s literally the first in the list of meaning.

Why’s it called Lemmy?

• Lead singer from Motörhead.
• The old school video game.
• The Koopa from Super Mario.
• The furry rodents.

github.com/LemmyNet/lemmy/tree/main#whys-it-calle…

Dirk, 1 year ago

You can hide bot accounts in the settings.

Dirk, 1 year ago

Exactly. If they’re bots but not registered as such, just report them.

Dirk, 1 year ago

It can even be found in unborn babies!

Dirk, 1 year ago

DuckDuckGo clearly censors results based on IP.

Dirk, 1 year ago

That’s the good thing with federation. You can participate in communities without visiting the instance even once.

Dirk, 1 year ago

Also, strict CSP would prevent it entirely.

Dirk, 1 year ago

Another reason to block this TLD in the firewall solution.

Dirk, 1 year ago

To prevent execution of scripts not referenced with the correct nonce:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">script-src 'self' 'nonce-$RANDOM'
</span>

To make it super strict, this set could be used:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">default-src 'self';
</span><span style="color:#323232;">script-src 'nonce-$RANDOM'
</span><span style="color:#323232;">object-src 'none';
</span><span style="color:#323232;">base-uri 'none';
</span><span style="color:#323232;">form-action 'none';
</span><span style="color:#323232;">frame-ancestors 'none';
</span><span style="color:#323232;">frame-src 'none';
</span><span style="color:#323232;">require-trusted-types-for 'script'
</span>

Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action ‘none’; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.

The MDN has a good overview: developer.mozilla.org/…/Content-Security-Policy

Dirk, 1 year ago

They can and they do. Using a commonly known and used file extension to “hide” a malicious URL is just easier.

www.youtube.com/watch?v=GCVJsz7EODA

Dirk, 1 year ago

Because .zip is a commonly used file extension.

Dirk, 1 year ago

but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?

Exactly!