Links:

• Caddy offers TLS, HTTPS, and more in one dependency-free Go Web server
• Caddy 2
• Caddy v2 Improvements [slightly out of date]
• Proposal: Permanently change all proprietary licensing to open source · Issue #2786 · caddyserver/caddy
• Revert "Implement Caddy-Sponsors HTTP response header" by lol768 · Pull Request #1866 · caddyserver/caddy
• Intel’s 10th generation desktop CPUs have arrived—still on 14nm
• Intel Comet Lake 10th Gen CPU release date, specs, price, and performance
• 10th Gen Intel® Core™ Desktop Processors
• US military is furious at FCC over 5G plan that could interfere with GPS
• The Pentagon's fight to kill Ligado's 5G network
• FCC Approves Ligado L-Band Application to Facilitate 5G & IoT

Plus Let's Encrypt's certificate validation mix-up, Intel's questionable new power supply design, and more.

Links:

• Let's Encrypt changes course on certificate revocation
• Revoking certain certificates on March 4
• Let's Encrypt: Incomplete revocation for CAA rechecking bug
• Pass authzModel by value, not reference
• The Complete Guide to CAA Records
• DNS Certification Authority Authorization
• AMD's 7nm Ryzen 4000 laptop processors are finally here
• How Intel is changing the future of power supplies with its ATX12VO spec
• Single Rail Power Supply ATX12VO Design Guide
• FreeNAS and TrueNAS are Unifying
• FreeNAS and TrueNAS are Unifying [Video Announcement]
• Ubuntu 20.04's zsys adds ZFS snapshots to package management
• ubuntu/zsys: zsys daemon and client for zfs systems

Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

• Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog
• The Facts: Mozilla’s DNS over HTTPs (DoH)
• Security/DOH-resolver-policy - MozillaWiki
• HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica
• Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt: A History - The Morning Paper
• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register
• Ballot SC22: Reduce Certificate Lifetimes
• Google Chrome’s fear of Microsoft Edge is revealing its bad side
• Microsoft shares a roadmap for the new Microsoft Edge
• Microsoft Edge: Top Feedback Summary for March 4
• Download Microsoft Edge Insider Channels
• Flaw in billions of Wi-Fi devices left communications open to eavesdropping | Ars Technica
• kr00k: A serious vulnerability deep inside Wi-Fi encryption
• Kr00k Paper
• Technical Details of Why Cloudflare Chose AMD EPYC for Gen X Servers
• An EPYC trip to Rome: AMD is Cloudflare’s 10th-generation Edge server CPU
• Cloudflare’s Gen X: Servers for an Accelerated Future
• Impact of Cache Locality
• Gen X Performance Tuning
• Securing Memory at EPYC Scale
• Intel promises Full Memory Encryption in upcoming CPUs | Ars Technica

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

• Why big ISPs aren’t happy about Google’s plans for encrypted DNS
• Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgrade
• How to enable DNS-over-HTTPS (DoH) in Google Chrome
• What’s next in making Encrypted DNS-over-HTTPS the Default - Future Releases
• WARP is here
• The Technical Challenges of Building Cloudflare WARP
• mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
• HTTP/3: the past, the present, and the future
• Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNet
• QUIC Implementations
• Startpage.com - The world's most private search engine
• Google extends support lifespan for seven Lenovo Chromebooks to 2025
• Google’s Quantum Supremacy Announcement Shouldn't Be a Surprise
• Scott’s Supreme Quantum Supremacy FAQ
• AMD Ryzen Pro 3000 series desktop CPUs will offer full RAM encryption | Ars Technica

Also, a few Windows worms you should know about, the end of the road for EV certs, and an embarrassing new Bluetooth attack.

Links:

• A detailed look at AMD’s new Epyc “Rome” 7nm server CPUs | Ars Technica — The short version of the story is, Epyc "Rome" is to the server what Ryzen 3000 was to the desktop—bringing significantly improved IPC, more cores, and better thermal efficiency than either its current-generation Intel equivalents or its first-generation Epyc predecessors.
• AMD Rome Second Generation EPYC Review: 2x 64-core Benchmarked — Ever since the Opteron days, AMD's market share has been rounded to zero percent, and with its first generation of EPYC processors using its new Zen microarchitecture, that number skipped up a small handful of points, but everyone has been waiting with bated breath for the second swing at the ball. AMD's Rome platform solves the concerns that first gen Naples had, plus this CPU family is designed to do many things: a new CPU microarchitecture on 7nm, offer up to 64 cores, offer 128 lanes of PCIe 4.0, offer 8 memory channels, and offer a unified memory architecture based on chiplets.
• AMD EPYC Rome Still Conquering Cascadelake Even Without Mitigations - Phoronix — Out of curiosity, I've run some unmitigated benchmarks for the various relevant CPU speculative execution vulnerabilities on both the Intel Xeon Platinum 8280 Cascadelake and AMD EPYC 7742 Rome processors for seeing how the performance differs.
• Intel’s line of notebook CPUs gets more confusing with 14nm Comet Lake | Ars Technica — Going by Intel's numbers, Comet Lake looks like a competent upgrade to its predecessor Whiskey Lake. The interesting question—and one largely left unanswered by Intel—is why the company has decided to launch a new line of 14nm notebook CPUs less than a month after launching Ice Lake, its first 10nm notebook CPUs.
• A look at the Windows 10 exploit Google Zero disclosed this week | Ars Technica — On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root—er, system that is—on any unpatched Windows 10 system they're able to log in to
• Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) – Microsoft Security Response Center — Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.
• KNOB Attack — TL;DR: The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
• Troy Hunt: Extended Validation Certificates are (Really, Really) Dead — With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.
• Google wants to reduce lifespan for HTTPS certificates to one year | ZDNet — Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process. Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked.

The history, the clients, and the from-the-field details you'll want to know.

Links:

• Let’s Encrypt and CertBot – JRS Systems
• Automatic Certificate Management Environment (ACME) — The surprisingly readable IETF draft.
• How It Works - Let's Encrypt
• ACME Client Implementations
• Certbot — Certbot is EFF's tool to obtain certs from Let's Encrypt.
• acme-nginx: python acme client for nginx — A particularly simple client that is useful for understanding the protocol details.
• Caddy - The HTTP/2 Web Server with Automatic HTTPS
• mod_md: Let's Encrypt (ACME) support for Apache httpd
• Traefik - The Cloud Native Edge Router
• Looking Forward to 2019 - Let's Encrypt — We’re now serving more than 150 million websites while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 67% encrypted page loads to 77% in 2018, according to statistics from Mozilla. This is an incredible rate of change!
• Let's Encrypt ACME v2 API Announcements — Now that the draft standard is in last-call and the pace of major changes has slowed, we’re able to release a “v2” API that is much closer to what will become the final ACME RFC.
• Let's Encrypt disables TLS-SNI-01 validation — The researcher noticed that "at least two" large hosting providers host many users on the same IP address and users are able to upload certificates for arbitrary names without proving they have control of a domain.
• A Technical Deep Dive on Using Certbot to Secure your Mailserver from the EFF — With the most recent release of Certbot v0.29.1, we’ve added some features which make it much easier to use with both Sendmail and Exim.

Plus the privacy improvements that could be coming to HTTPS, and a new SSH auditing tool hits the open source scene.

Special Guest: Will Boyd.

Links:

• Open Sourcing HASSH — HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce.
• ESNI: A Privacy-Protecting Upgrade to HTTPS — Today, Cloudflare is announcing a major step toward closing this privacy hole and enhancing the privacy protections that HTTPS offers. Cloudflare has proposed a technical standard for encrypted SNI, or “ESNI,” which can hide the identities of the sites you visit—particularly when a large number of sites are hosted on a single set of IP addresses
• What's new in Kubernetes 1.12?
• Kubernetes the Hard Way — Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication.
• Install Minikube
• Creating a single master cluster with kubeadm
• 10 open-source Kubernetes tools for highly effective SRE and Ops Teams
• Clonezilla — Clonezilla is a partition and disk imaging/cloning program similar to True Image or Norton Ghost.

We’ll explain what Domain Fronting is, how activists can use it to avoid censorship, and why large organizations are compelled to disable it.

Plus how road navigation systems can be spoofed with $223 in hardware, and another bad Bluetooth bug.

Sponsored By:

• Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
• iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
• Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

• Road navigation systems can be spoofed using $223 equipment
• The World Economy Runs on GPS. It Needs a Backup Plan
• Big bad Bluetooth blunder bug battered – check for security fixes
• Vulnerability Note VU#304725 - Bluetooth Diffie-Hellman key exchange
• Domain Fronting
• Domain Fronting Is Critical to the Open Web
• Russia Blocks Millions of Amazon and Google IPs in Bungled Attempt to Ban Telegram
• Blocking-resistant communication through domain fronting
• Duplicati gets some love
• Duplicati
• Duplicati - Docker Hub
• Installing Duplicati on Ubunutu Linux
• Ben's Backup Basics