Instantly share code, notes, and snippets.

View onion-svc-v3-client-auth.sh
#!/bin/bash
# needs openssl 1.1+
# needs `basez` https://manpages.debian.org/testing/basez/base32hex.1.en.html
# (but something else that decodes the base64 and re-encodes the raw key bytes
# to base32 is probably fine too)
##### generate a key
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
View 01.md

(originally from a tweet thread: https://twitter.com/mtigas/status/949337073495916544 )

updated january 5, 2018; 12:47 US Eastern Time

ok here's a rough list of links i have collected about patches for meltdown / spectre https://kb.cert.org/vuls/id/584653 , that i sort of compiled for my own reference but figure others might want. (info as of this morning, january 5. might have mistakes, use at own risk, etc)


MacOS High Sierra 10.13.2+, Sierra 2017-002 security update, and El Capitan 2017-005 security update mitigate meltdown:

View 0 ProPublica Tor hidden service config.md

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

  • We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.

  • Based on feedback we've received, we're using Unix sockets (instead of a 127.0.0.1:___ TCP port) where nginx listens internally for the inbound connection from Tor. This ensures that a firewall misconfiguration can't expose the site running in nginx, which is likely overkill for an already-public (clearnet) website; this may also slightly improve performance and reduce socket overhead, however.

    If you try doing this and have issues using sudo service nginx restart due to leftover connections using the socket, you may have to nuke the previous sockets before starting a new nginx process:

View 0-hidden-service-subdomains.md

The following files show an example of how to create subdomains for onion site hidden services. (This hasn't been tested for hidden services for anything other than HTTP/HTTPS.)

(You might also want to read our blog post about ProPublica’s Tor hidden service, including a tutorial and notes on running a hidden service: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services )

In general, this works (maybe just in recent Tor clients) because Tor will handle the connection to www.xxxxxxxxxxxxxxxx.onion as a connection to xxxxxxxxxxxxxxxx.onion. The encapsulated HTTP/HTTPS connection contains the subdomain in the Host: header (and in the case of HTTPS, the SNI

View gpg.conf
#~/.gnupg/gpg.conf
# Hide your PGP version & other PGP version metadata with these two config lines.
# This line hides the "Version: GnuPG vX.XX.XX" line
no-emit-version
# This line hides the "Comment: XXXXX" lines
no-comments
# NOTE if you are using Thunderbird+Enigmail you probably need to set this again in
# the Enigmail->Preference settings:
View gist:9622e039ef53b85ae379
View gist:25d680ccea78ad7db37a
View 1-tls
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The following are the SSL certificate fingerprints for the
following propublica.org servers as of 2016-03-05.
CN or SAN: www.propublica.org
Note: this domain is now served via the Fastly CDN, relying on shared SSL
certificates. The www.propublica.org domain should be listed as a Subject
Alternative Name on the certificate served by the CDN endpoint.
View default.json
/* Example of "output=flat" format.
* https://projects.propublica.org/nonprofits/api/v1/search.json?q=propublica */
{
"total_results": 2,
"filings": [
{
"tax_prd": 201212,
"tax_prd_yr": 2012,
"formtype": 0,
"pdf_url": "https://bulk.resource.org/irs.gov/eo/2013_09_EO/14-2007220_990_201212.pdf",
View gist:416e172d879304af04ad

Updating rbenv Ruby to use newer OpenSSL versions

rbenv/ruby-build don’t use Homebrew-installed versions of OpenSSL — instead, they on OS X's built-in ancient version.

This can throw OpenSSL::SSL::SSLErrors when talking to websites that enforce newer SSL/TLS protocols and ciphersuites.


1: Dependencies