Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting

https://github.com/Sakura-sx/Aroma

#HackerNews #Aroma #TCP #Proxy #RTT #Fingerprinting #Network #Security #Cybersecurity

Kubernetes Egress Control with Squid Proxy

https://interlaye.red/kubernetes_002degress_002dsquid.html

#HackerNews #Kubernetes #Egress #Control #with #Squid #Proxy #kubernetes #egress #squid #proxy #cloudnative #devops #networking

Today I learned… if you are doing something naughty in JavaScript* (and let’s face it, of course you are) that TypeScript’s type checker is giving you an error for and you – being you – want to keep being naughty (because you can and that’s half the fun), there’s a better way to silence the error than using @ts-ignore which, umm, just ignores it.

Instead, you can use @ts-expect-error (with the error message, to remind yourself what you’re expecting).

This way, if the error ever goes away (which would likely signal… uh… an error), you will be notified.

So, yeah, how’s your morning going?

* Like returning a proxy from a constructor instead of an instance of the class itself.

#JavaScript #TypeScript #typeChecking #proxy #tsIgnore #tsExpectError

Today I learned… if you are doing something naughty in JavaScript* (and let’s face it, of course you are) that TypeScript’s type checker is giving you an error for and you – being you – want to keep being naughty (because you can and that’s half the fun), there’s a better way to silence the error than using @ts-ignore which, umm, just ignores it.

Instead, you can use @ts-expect-error (with the error message, to remind yourself what you’re expecting).

This way, if the error ever goes away (which would likely signal… uh… an error), you will be notified.

So, yeah, how’s your morning going?

* Like returning a proxy from a constructor instead of an instance of the class itself.

#JavaScript #TypeScript #typeChecking #proxy #tsIgnore #tsExpectError

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.

Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.

We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.

Here is a short blog about the campaign and actor, including involved domains and IPs.

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/

#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login

Mullvad: Shutting down our search proxy Leta

https://mullvad.net/en/blog/shutting-down-our-search-proxy-leta

#HackerNews #Mullvad #Shutting #Down #Leta #Proxy #Privacy #Security #VPN #Technology

Oxy is Cloudflare's Rust-based next generation proxy framework

https://blog.cloudflare.com/introducing-oxy/

#HackerNews #Oxy #Cloudflare #Rust #Proxy #Framework #Next #Generation

Imagine I have a couple VPNs+NAT and a few socks proxies (ssh tunnel, shadowsocks, vless, etc). Can you suggest a good way to monitor the "connection quality" of each of them? (on my local machine)

I want to easily see, which are degraded (usually due to ISP/gov doing DPI and blocking related traffic) and which are nice and healthy.

Cc: @dlakelan

#proxy #i2p #tor #freedom #network #networking #socks #dpi #wireguard #vless #shadowsocks #AskFedi #AskLemmy

It doesn’t occur often, but when it does, it brings a smile to my face. This is my error page served from the proxy when the backend can't process the requests (or is unavailable).

#manpageblog #devops #nginx #proxy #backend #linux #freebsd #tux #beastie

It doesn’t occur often, but when it does, it brings a smile to my face. This is my error page served from the proxy when the backend can't process the requests (or is unavailable).

#manpageblog #devops #nginx #proxy #backend #linux #freebsd #tux #beastie

A brutally-simple proxy for #ActivityPub that lets you circumvent instance blocks by masquerading as another domain name. All it does is replace all hostnames in the text proxied through, and for signed POST requests, it swaps the public keys and re-signs the requests

Thanks to @s3phy again for helping me understand another area where IPv6 is broken in Linux desktop networking configuration tools: connecting to a SSH server to create a SOCKS proxy using the NetworkManager SSH plugin. That thing only checks if the gateway address is a valid IPv4 address

I reported the issue here: https://github.com/danfruehauf/NetworkManager-ssh/issues/130

#IPv6 #networking #sysadmin#réseau#réseautique#UX#SSH #proxy#VPN#GNOME#Linux#NetworkManager

Thanks to @s3phy again for helping me understand another area where IPv6 is broken in Linux desktop networking configuration tools: connecting to a SSH server to create a SOCKS proxy using the NetworkManager SSH plugin. That thing only checks if the gateway address is a valid IPv4 address

I reported the issue here: https://github.com/danfruehauf/NetworkManager-ssh/issues/130

#IPv6 #networking #sysadmin#réseau#réseautique#UX#SSH #proxy#VPN#GNOME#Linux#NetworkManager

Just released: #swad 0.11 -- the session-less swad is done!

Swad is the "Simple Web Authentication Daemon", it adds cookie/form #authentication to your reverse #proxy, designed to work with #nginx' "auth_request". Several modules for checking credentials are included, one of which requires solving a crypto challenge like #Anubis does, to allow "bot-safe" guest logins. Swad is written in pure #C, compiles to a small (200-300kiB) binary, has minimal dependencies (zlib, OpenSSL/LibreSSL and optionally libpam) and should work on many #POSIX-alike systems (#FreeBSD tested a lot, #Linux and #illumos also tested)

This release is the first one not to require a server-side session (which consumes a significant amount of RAM on really busy sites), instead signed Json Web Tokens are now implemented. For now, they are signed using HMAC-SHA256 with a random key generated at startup. A future direction could be support for asymmetric keys (RSA, ED25519), which could open up new possibilities like having your reverse proxy pass the signed token to a backend application, which could then verify it, but still not forge it.

Read more, grab the latest .tar.xz, build and install it ... here: 😎

https://github.com/Zirias/swad

Just released: #swad v0.3!

https://github.com/Zirias/swad/releases/tag/v0.3

swad is the "Simple Web Authentication Daemon", your tiny, efficient and (almost) dependency-free solution to add #cookie + login #form #authentication to whatever your #reverse #proxy offers. It's written in pure #C, portable across #POSIX platforms. It's designed with #nginx' 'auth_request' in mind, example configurations are included.

This release brings a file-based credential checker in addition to the already existing one using #PAM. Also lots of improvements, see details in the release notes.

I finally added complete build instructions to the README.md:

https://github.com/Zirias/swad

And there's more documentation available: manpages as well as a fully commented example configuration file.