#http
MinusBrowser 1.2 is Published
Minus is an alternative to, but not a replacement for, HTTP and Gemini.
- Tor now starts automatically. The option to keep Tor running after the browser window is closed still exists.
- Tor is now used for all connections, not just connections to
.oniondomains. - Gopher is now supported, but not as fully as with a dedicated Gopher client. Gopher menus are presented as if they were Minus pages. You can click on Gopher links just as you do with Minus links. Search is also supported.
- Various annoying bugs are fixed. This includes bugs related to selected text.
The new version is available on Codeberg as a .tar.gz file.
https://codeberg.org/giXzkGsc/Minus-Protocol/raw/branch/main/MinusBrowser.tar.gz
There is no need to install MinusBrowser. Just download the .tar.gz file to your home folder and unpack it with
tar -xf MinusBrowser.tar.gz
or use your favorite GUI software to unpack it.
If you have an earlier version, unpack the .tar.gz file into the same directory as your present MinusBrowser folder. I plan to make future versions of MinusBrowser able to update themselves similarly to the way EasyGPG updates itself.
To follow the progress of the Minus Protocol Project, click on #minus-protocol or look at https://nerdpol.ch/tags/minus-protocol
#internet #protocol #tcp #hypertext #http #gemini #gopher #minus #minus-protocol #browser #minusbrowser #minus-browser
Großartiger Vortrag! #IT #Admin #Fremdsprachen #Rubberducking #Logs-lesen #storage #Netzwerk #Zertifikate #http #SSO #MobileDevices #root #RSS-Abo
Checkliste für Universaldilettanten – A jack of all trades is a master of none, but oftentimes better than a master of one.
Die VerwalterInnen der menschlichen Ressourcen suchen daher gerne so genannte "T-Shaped-Professionals". Der senkrechte Strich des T symbolisiert dabei das Spezialwissen, während der Querstrich das Breitenwissen darstellt.
Stoeps und leyrer erzählen aus dem Nähkästchen von (in Summe) über 60 Jahren IT Erfahrung, welche Themen aus ihrer Sicht in dem den Querstrich nicht fehlen sollten.
Selbsterständlich stellt die Auswahl der Themen nur eine Auswahl dar, sollte dir aber einen Überblick geben, was alles notwendig ist, um zwischen KundInnen, ManagerInnen, Herstellern, (Frontend-) EntwickerlInnen, Netzwerk-, Storage-, Betriebssystem-, Middleware-, Datenbank-, Dev(Sec)Ops-, Security und vielen weiteren Teams zu vermitteln.
Die VerwalterInnen der menschlichen Ressourcen suchen daher gerne so genannte "T-Shaped-Professionals". Der senkrechte Strich des T symbolisiert dabei das Spezialwissen, während der Querstrich das Breitenwissen darstellt.
Stoeps und leyrer erzählen aus dem Nähkästchen von (in Summe) über 60 Jahren IT Erfahrung, welche Themen aus ihrer Sicht in dem den Querstrich nicht fehlen sollten.
Selbsterständlich stellt die Auswahl der Themen nur eine Auswahl dar, sollte dir aber einen Überblick geben, was alles notwendig ist, um zwischen KundInnen, ManagerInnen, Herstellern, (Frontend-) EntwickerlInnen, Netzwerk-, Storage-, Betriebssystem-, Middleware-, Datenbank-, Dev(Sec)Ops-, Security und vielen weiteren Teams zu vermitteln.
via FrOSCon
MinusBrowser 1.0 is Published
MinusBrowser is a browser for the Minus protocol written in Tcl/Tk that also requires curl.
The Software
I have developed a Minus server and a Minus browser for Linux distros. I am putting the Minus browser on Codeberg first. I will put a server there later.
My browser is written in Tcl/Tk, and it also requires curl. Like the Tor Browser, MinusBrowser includes its own copy of Tor. The protocol specification allows for the use of TLS, but MinusBrowser does not support it -- at least, not yet. My present Minus servers run as Tor Onion Services, and I have no plan to create clearnet servers in the future. However, MinusBrowser will also read from libraries on local networks.
There is no need to install the browser. Just download the .tar.gz archive and unpack it. The ReadMeFirst.txt file explains how to launch it on various distros.
MinusBrowser includes a list of known public Minus libraries. So far, I know of only my two libraries: the one for this project and the one for my EasyGPG project.
The Files
MinusBrowser
https://codeberg.org/giXzkGsc/Minus-Protocol/raw/branch/main/MinusBrowser.tar.gz
Minus Protocol Specification
https://codeberg.org/giXzkGsc/Minus-Protocol/raw/branch/main/minus-specification.md
What is Minus?
The Minus protocol is an alternative to Gopher, HTTP, and Gemini. It was inspired by Gopher. Gopher Plus was intended to add features to Gopher, but I wanted to subtract features. I wanted a Gopher Minus. I shortened this to Minus.
Minus is Gopher with only type 9 files. (This will make sense to you if you have ever implemented a Gopher server or client.)
As with Gopher and Gemini, a Minus client sends only one line of text that specifies the file to download. The server then sends back the requested file or a message in UTF-8 text explaining why the file was not sent. Notice that there is nothing at all like request and response headers.
The files served can be of any type, but only .minus, .txt, .text, and .asc files will be displayed by the client. Other types are saved to mass storage.
Minus files are UTF-8 text. There is no markup language apart from using # characters to indicate headers, and the back-tick (`) to delimit code snippets and similar text. Every character in the file is shown to the user.
The only hypertext feature is that all minus:// URLs, alone on a line, are automatically clickable links.
Minus defines its own MIME type, like HTTP's text/html. This is text/minus, and the file name suffix is .minus.
Minus URLs are of the form minus://domain.tld/something.minus. There is no optional authority component, nor are there any optional query or fragment components. The browser sends the part of the URL after the TLD to the server to specify the desired file.
The Minus equivalent of the HTTP web site and Gopher gopher hole is the Minus library.
The Future of this Project
As mentioned above, I will put my Minus server on Codeberg. I want to build a GUI for it soon, but I will probably upload it before that is finished.
I am thinking about several improvements to the browser. One is to enable the MinusBrowser to read pages aloud. This would be done by recording sound files with espeak and playing them with VLC or Audacious. I am also thinking about limited support for Gopher. This would translate Gopher menus into Minus pages and allow display of files that appear in Gopher menus as type 0. I definitely plan to make MinusBrowser able to update itself using Codeberg or using the Minus Library for this project.
I am also thinking about using gpg to display PGP messages and verify their signatures. This would require that the browser also import PGP keys.
Minus Protocol Project on Codeberg
https://codeberg.org/giXzkGsc/Minus-Protocol
Minus library for the Minus protocol project
minus://mvxpelpxu2f7kzotb2s2t6fkmggvrd7qdg2wjs6waiyf2nbhkawux4yd.onion/
Minus library for EasyGPG
minus://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion/
#internet #protocol #tcp #hypertext #http #gemini #gopher #minus #minus-protocol #browser #minusbrowser #minus-browser
Latest Version 2022-07-05
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the specified file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The client may close the TCP connection before the entire file is received. The server must tolerate this.
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."
The specifier may be just /, but, otherwise, it should not end with /. The specifier should also not contain //, .., ./, or /..
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Avoiding Information Exfiltration
Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.
This could happen if all the files served are kept in one directory, and the specifier is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.
A better design uses an index that contains an entry for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.
Transport Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs must be the only thing on the line they appear in.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
Minus URLs must be the only thing on the line they appear in.
The client should recognize Minus URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /. Clients should check that the downloaded file is not actually an error message sent by the server instead of the specified file.
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTPS 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information onto the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
This adds a note about error messages suggested by @prplcdclnw@diasp.eu , and a note about / in specifiers.
Third Release Version
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the requested file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."
The specifier may be just /, but, otherwise, it should not end with /. The specifier should also not contain //.
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Avoiding Information Exfiltration
Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.
This could happen if all the files served are kept in one directory, and the specifier is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.
A better design uses an index that contains entries for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.
Transport Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs must be the only thing on the line they appear in.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
Minus URLs must be the only thing on the line they appear in.
The client should recognize Minus URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /. Clients should check that the downloaded file is not actually an error message sent by the server instead of the specified file.
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTP 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information on the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
This document is 1157 words long. The official Gopher specification is 5395 words long. The official HTTP 1.1 specification is 61904 words long.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
Second Release Version (See the first comment below.)
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the requested file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Avoiding Information Exfiltration
Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.
This could happen if all the files served are kept in one directory, and the specifier is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.
A better design uses an index that contains entries for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.
Transport Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs must be the only thing on the line they appear in.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
Minus URLs must be the only thing on the line they appear in.
The client should recognize Minus URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /.
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTP 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information on the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
This document is 1117 words long. The official Gopher specification is 5395 words long. The official HTTP 1.1 specification is 61904 words long.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
Minus Protocol and EasyGPG 4.55
Work on adding Minus support to EasyGPG is finished. I will wait 24 to 48 hours before I publish EasyGPG 4.55 to be certain that it is ready.
EasyGPG's Read text from the Internet will be the only way to read the EasyGPG Minus server until I (and possibly others) can produce some Minus clients.
Minus is based on Gopher. It is Gopher without the odd type codes and Gopher menus. Gopher menus are not human-readable. A Gopher client is necessary to present these menus in a human-friendly way.
Because Minus is based on Gopher, it is possible to translate Minus URLs into Gopher URLs. While you are waiting on EasyGPG 4.55, you can use EasyGPG 4.54.7 to browse the EasyGPG Minus server.
gopher://7hinc6ucgvwbcjjoe44lhzzxyjptb3da6tzl33oe7ezl2qgwlrkfe6yd.onion:1990/9/
This just replaces minus:// with gopher:// and adds :1990/9 after the TLD of the domain. This is actually the simple way that EasyGPG 4.55 supports Minus.
Of course, you must have Tor to use .onion domains. However, using EasyGPG, it is only necessary to have the Tor Browser running, and curl installed.
In the next few days I want to start development of a very simple Minus client and server that others can use. These will be implemented as BASH scripts. The CLI client will probably not make Minus URLs links, as required by the specification, so it will not yet be a complete client implementation. It will, however, handle Tor in the same user-friendly way that EasyGPG does.
I hope to make the server and client so easy to read and understand that others will produce their own better alternatives. This applies especially to Minus clients.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol #easygpg #gpg #encryption #privacy #surveillance #security #cryptography
First Release Version
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the requested file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Avoiding Information Exfiltration
Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.
This could happen if all the files served are kept in one directory, and the selector is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.
A better design uses an index that contains entries for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.
Transport Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs must be the only thing on the line they appear in.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
Minus URLs must be the only thing on the line they appear in.
The client should recognize Minus URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /.
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTP 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information on the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
This document is 1117 words long. The official Gopher specification is 5395 words long. The official HTTP 1.1 specification is 61904 words long.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
Fifth preliminary draft
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the requested file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_/."
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Avoiding Information Exfiltration
Exfiltration of information from the client is prevented by only allowing the transaction above, but indirectly exfiltrating information from the server is still possible.
This could happen if all the files served are kept in one directory, and the selector is combined with the path name of this one directory to form the path name of the file served. This is obviously insecure, yet many file servers are designed this way. Such servers have to use various strategies to mitigate the insecurity created by this design.
A better design uses an index that contains entries for each file that can be served. Each entry relates a specifier to the path name of the file it specifies. With this design, only files listed in the index can be served, and the specifier need not contain any part of the path name of the file.
Transport Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs must be the only thing on the line they appear in.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
Minus URLs must be the only thing on the line they appear in.
The client should recognize URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage. The file names of files saved to mass storage will be the part of the specifier after the last /.
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there are very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTP 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information on the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
This document is 1116 words long. The official Gopher specification is 5395 words long. The official HTTP 1.1 specification is 61904 words long.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
Third preliminary draft
Minus Protocol Specification
The Name of the Minus Protocol
The name Minus was inspired by Gopher Plus. Gopher Plus added features to Gopher; Minus subtracts features from Gopher.
Minus Transactions
Server: listens for TCP connections on port 1990
Client: opens a TCP connection to the server on port 1990
Server: accepts the TCP connection
Client: sends a file specifier that specifies the file to be downloaded
Server: sends the requested file or a UTF-8 text message explaining why the specified file was not sent
Server: closes the TCP connection
The specifier is one line of text which can contain only the characters inside the following quotation marks.
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 0123456789-_/."
If the specifier is / or zero-length, the specifier will default to index.minus. This is similar to index.html in HTTP.
The error message mentioned above should be UTF-8 text with \n at the end of lines, and not \r\n.
There must be no other communication between the server and client. Notice that no information about the client is sent to the server.
Security
Minus is insecure unless TLS is used or the server is run as a Tor Onion Service. Running as a Tor Onion Service is preferred because it makes everything easier. No registration of a domain name is necessary, no TLS certificate is required, and both server and client are easier to implement without TLS.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Minus URL Format
Here is an example of a Minus URL.
minus://vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion/index.minus
(There is not a server at this domain. This is just an example.)
This has three parts: the protocol (or scheme) minus://, the host (an FQDN or an IP address) vdvfh9y003nvebcctyc67mnpl1fuvfayoh2qzyo9ksyj3m1so5idkyef.onion, and /index.minus (the specifier sent by the client to the server). See the section above for the complete list of characters allowed in a specifier.
Minus URLs in .minus documents should be selectable links that open the specified document. In a GUI client, these should be clickable.
If TLS is used, the scheme in the URL should be minuss:// instead of minus://.
Names of Files
The client must use the specifier that specified the file as its name, even though the file may be saved on the server with a different name. The client will not know what directories and files are on the server, nor how directories there are structured.
The .minus File Type
Files with the .minus filename extension should be UTF-8 text files. The server should not limit the line length of lines in these files (as in Gopher). However, the client should.
Lines in .minus files should end with \n and not \r\n.
The client should recognize URLs in the text of .minus files and make them easily selectable. Selecting them should download the specified file. If the file downloaded is a .minus file, it should be displayed. If it is a .txt, .text, or .asc file, it should also be displayed, but without necessarily making URLs in the text selectable. All other files should be downloaded and saved to mass storage, unless the client is also a browser for other file types (for example, .html).
Minus does not allow for embedding other files in a .minus file such that they are displayed in the same window as the text. No URLs in the text should ever be automatically downloaded.
Display of Text in .minus Files
How the text of .minus files is displayed should be controlled by the client and its user. However, the text of the .minus file may indicate, with markings, what functions parts of the text play in the document.
For example, the text could indicate what lines of the document are headings and subheadings. This could be done by beginning the line with a # or more than one #, followed by a space. The client and its user could decide how headings should be displayed. Similarly, the ` could indicate the beginning and end of a code snippet, and the client could display these snippets differently from the rest of the text.
It is also acceptable for the client not to display marked text or markings differently from the rest of the text.
Minus Compared to Gopher, Gemini, and HTTP
Gemini is meant to be less complex and easier to implement than HTTP, but more complex than Gopher. Minus, on the other hand, is meant to be less complex and easier to implement than all of these others, including Gopher.
This simplicity is essential if the Internet is to, once again, become human-friendly.
HTTPS 1.1 and HTML5 are so complex that no single person can implement a server or a client that supports the entire HTTPS 1.1 and HTML5 standards. In fact it requires a large team of people to do so. It is, therefore, not surprising that there very few clients or servers not based on some other client or server.
Because complexity is the enemy of security, this software is also insecure.
Perhaps the worst problem with HTTP 1.1 and HTML5 is the way, by design, that they spy on users of HTTPS 1.1 clients. In Minus, the only information communicated by the client to the server is the specifier that specifies the file to be downloaded. This is very different from HTTPS 1.1. Even worse, HTTPS 1.1 allows the server to download and store information on the client machine that is not explicitly requested by the user.
When I implemented my own Gopher server, I found that even Gopher has complexity I do not need or want. This is why I am doing this.
This document is 988 words long. The official Gopher specification is 5395 words long. The official HTTP 1.1 specification is 61904 words long.
#internet #protocol #tcp #file-server #hypertext #http #gemini #gopher #minus #minus-protocol
Alright, after a bit more puttering about I've got my #k3s #Kubernetes cluster networking working. Details follow.
From an inbound perspective, all the nodes in the cluster are completely unavailable from the internet, firewalled off using #hetzner's firewalls. This provides some reassurance that they're tougher to hack, and makes it harder for me to mess up the configuration. All the nodes are on a private network that allows them to communicate with one another, and that's their exclusive form of communication. All the nodes are allowed any outbound traffic. The servers are labeled in Hetzner's console to automatically apply firewall rules.
In front of the cluster is a Hetzner firewall that is configured to forward public internet traffic to the nodes on the private network (meaning the load balancer has public IPv4 and IPv6 addresses, and a private IPv4 address that it uses to communicate with the worker nodes). The load balancer does liveness checks on each node and can prevent non responsive nodes from receiving requests. The load balancer uses the PROXY protocol to preserve source #IP information. The same Hetzner server labels are used to add worker nodes to the load balancer automatically.
The traffic is forwarded to an #nginx Daemonset which k3s keeps running on every node in the cluster (for high availability), and the pods of that DaemonSet keep themselves in sync using a ConfigMap that allows tweaks to the nginx configuration to be applied automatically. Nginx listens on the node's private IP ports and handles #TLS termination for #HTTP traffic and works with Cert-Manager to maintain TLS certificates for websites using #LetsEncrypt for signing. TLS termination for #IMAP and #SMTP are handled by #Dovecot and #Postfix, respectively. Nginx forwards (mostly) cleartext to the appropriate service to handle the request using Kubernetes Ingress resources to bind ports, hosts, paths, etc. to the correct workloads.
The cluster uses #Canal as a #CNI to handle pod-to-pod networking. Canal is a hybrid of Calico and Flannel that is both easy to set up (basically a single YAML) and powerful to use, allowing me to set network policies to only permit pods to communicate with the other pods that they need, effectively acting as an internal firewall in case a pod is compromised. All pod communication is managed using standard Kubernetes Services, which behind the scenes simply create #IPCHAINS to move traffic to the correct pod.
The configuration of all this was a fair amount of effort, owing to Kubernetes' inherent flexibility in the kinds of environments it supports. But by integrating it with the capabilities that Hetzner provides I can fairly easily create an environment for running workloads that's redundant and highly secure. I had to turn off several k3s "features" to get it to work, disabling #Traefik, #Flannel, some strange load balancing capabilities, and forcing k3s to use only the private network rather than a public one. Still, it's been easier to work with than a full-blown Kubernetes installation, and uses considerably fewer server resources.
Next up: storage! Postgres, Objects, and filesystems.
New Release: Tor Browser 11.0.3
Tor Browser 11.0.3 is now available from the Tor Browser download page and also from our distribution directory.
https://blog.torproject.org/new-release-tor-browser-1103/
This release updates Firefox to 91.4.1esr and picks up a number of bug fixes. In particular, this release should fix various extension related and crash issues Windows users were experiencing. Additionally, Linux users especially on Ubuntu and Fedora systems were reporting fonts not properly rendering, which should be solved by this release.\
\
We used the opportunity to upgrade various components to their respective latest versions as well: Tor to 0.4.6.9, OpenSSL to 1.1.1m, and snowflake for enhanced censorship resistance.
#tor #tor-browser #tor-project #browser #web-browser #www #world-wide-web #internet #http #https #html #firefox #firefox-esr
Paris Web - HTTP/3, ce n'est pas seulement HTTP/2 avec un numéro plus grand
#HTTP3 #QUIC #HTTP2 #HTTP #Web #Internet #Protocoles #Normalisation
Entwickler:in mit Schwerpunkt #XML / #XSLT für #taz.de in #Vollzeit ab sofort gesucht
Die #taz war die erste online lesbare #Tageszeitung Deutschlands. Sie bietet nach wie vor alltäglich die Möglichkeit Dinge anders zu machen und ist immer noch konzernunabhängig. Willst Du mit uns die zunehmend digitale Zukunft des #Journalismus gestalten? Wir bieten ein kooperatives Umfeld, das Raum für #Weiterentwicklung und #Kreativität lässt, aber auch strategisches #Denken erfordert und die Bereitschaft, alltägliche Probleme auch eigenverantwortlich zu lösen.
Wir suchen für unsere #Webinfrastruktur zeitnah eine:n Kolleg:in mit praktischer Berufserfahrung in der Entwicklung im Bereich #DATENMANAGEMENT, -TRANSFORMATION UND -ANALYSE, gerne auch als Quereinsteiger:in. Wichtig ist uns, dass Du nicht nur teamfähig bist, sondern bevorzugt gemeinsam arbeitest, auch flexibel und mit technischen Laien.
Im Bereich DATENMANAGEMENT, -TRANSFORMATION UND -ANALYSE integrieren wir Backendsysteme in unser Frontend taz.de. Wir kennen die Anwendungsschnittstellen unserer #Backends und transformieren diese in ein einheitliches XML-Format. Dabei stehen wir in enger Kommunikation mit Unix-Systemadministration und #Frontendentwicklung sowie internen Anwender:innen, externen Auftraggeber:innen und IT-Spezialist:innen. Immer wieder fordern uns neue Backendsysteme und Techniken heraus und immer wieder gilt es, Umbauten oder Fehler in bestehender #Infrastruktur zu finden und zu optimieren. Wir sind für **Import und Export **von #Daten rund um taz.de verantwortlich.
Anforderungen:
* Sicherer Umgang mit XML, #XPath und XSLT (Version 1.0).
* Du kannst #Bash-Skripte lesen und schreiben.
* Du scheust Dich nicht, auch auf produktiven Debian-Maschinen, mit Hilfe der Kommandozeile zu operieren, Zeichenketten bis zu ihrer Hexadezimaldarstellung zu untersuchen sowie Logdateien von Servern zu analysieren und Stacktraces versuchen zu verstehen.
* Du hast Erfahrungen mit #SQL - sowie #NoSQL -/Dokumentenorientierten - #Datenbanken.
* Du hast Erfahrungen mit vernetzten Serversystemen und Schnittstellen, insb. mit #REST, #RPC, #AMQP und #HTTP.
* Du hast Verständnis für System- und #Datenbankarchitektur und behältst dabei den Blick für das große Ganze und insb. Themen wie #Performance, #Datensparsamkeit und #Datenschutz sowie Sicherheit und Wartbarkeit sind Dir ein Anliegen.
* Du hast Erfahrungen mit #Content-Management-Systeme n und diese im besten Fall auch schon #headless im Einsatz genutzt.
Prima wären Erfahrungen mit #Git, #SVN, #Apache HTTP Server-Konfiguration, Regulären Ausdrücken sowie #JSON. Auch Erfahrungen mit einer weiteren #Programmiersprache, insb. einer deklarativen/funktionalen sind von Vorteil.
* Analytisches Denken und die Fähigkeit komplexe Zusammenhänge zu überblicken.
* Sehr gute Selbstorganisation und Planungsfähigkeit, insb. kannst Du Dich selbstständig in Techniken mit Hilfe von technischen (und meistens englischsprachigen) #Dokumentationen einarbeiten.
* Eigenverantwortliches Arbeiten und Durchhaltevermögen, auch wenn es stressig wird.
* Erfahrungen im Nachrichten- und Verlagsumfeld sind von Vorteil.
Wenn Du Lust darauf hast, in einem nach wie vor politisch motivierten Umfeld, als Teil des Web-Entwickler:innen-Teams auch abteilungsübergreifend mit vielfältig interessanten Menschen, mit #Produktentwicklung, #EDV, #Redaktion und Verlag sowie externen Dienstleistern zusammenzuarbeiten, melde Dich.
Bei der taz bieten wir nicht nur ein kollegiales Arbeitsumfeld, sondern auch familienfreundliche Arbeitszeiten (flexible 36,5h Vollzeit Woche und 30 Tage/Jahr Urlaub) und es gibt ein ordentliches, subventioniertes #Mittagessen im #taz-Café sowie die Möglichkeit, ein Job Rad zu nutzen.
Wir wollen diverser werden. Deshalb freuen wir uns besonders über Bewerbungen von People of Color und Menschen mit Behinderung. Deine Perspektiven sind uns wichtig und sollen in der taz vertreten sein. Die Arbeitsplätze und Toiletten sind weitestgehend barrierefrei. Das taz-Café ist mit dem #Rollstuhl erreichbar.
Schicke uns Deine #Bewerbung und zeige uns, welche Kenntnisse und Erfahrungen Du gerne bei der taz entfalten möchtest. Es handelt sich um eine volle unbefristete Stelle ab taz-Lohngruppe V. Arbeitsaufnahme ist zum nächstmöglichen Zeitpunkt. Schreibe uns gerne, ab wann Du einsteigen könntest und richte Deine Bewerbung an webjob@taz.de.
#Datenmanagement #Datenanalyse #Datentransformation #Stellenangebot #Stellenangebote #Job #Jobs #Arbeit #Brot
24.09.2021 Microsoft Outlook bietet Hackern "Möglichkeiten"
Auch Angreifer können "Autodiscover" nutzen
Microsoft hat in sein Windows Mailprogramm Outlook eine für den Nutzer unsichtbare Funktion namens "Autodiscover" eingebaut. Diese soll ihm beim Einrichten seines Mailkontos helfen. Sie sucht automatisch die Einstellungen des zu einer Mailadresse dazu gehörenden E-Mail-Servers.
Wie Heise nun schreibt: "... konnten Sicherheitsforscher der Firma Guardicore nun erfolgreiche Versuche dokumentierten, über Autodiscover solche Anmeldedaten auszuspionieren. Sie konzentrierten sich dabei vor allem auf Windows-Anmeldedaten. Insgesamt gelang es ihnen in knapp vier Monaten, mehr als 372.000 Anmelde-Versuche für Windows-Domänen auszuspionieren. Daraus resultierten die Anmelde-Daten von 96.671 Windows-Konten – im Klartext."
Mit diesem "Autodiscover" Programm hat sich Microsoft also in vielen Fällen selbst gehackt, weil es dem Programm erlaubte, kreativ Tests durchzuführen und diese Tests auch noch von ihren (Outlook-) Exchange Servern unterstützte. Außerdem rächte es sich, dass diese Kommunikation beim Fehlen gültiger Zertifikate auf HTTP zurückfiel und damit im Klartext lesbar war. Ähnliche Sicherheitslücken waren bereits 2017 als CVE-2016-9940 und CVE-2017-2414 registriert worden - nun steht man wieder vor diesem Scherbenhaufen.
Die Nutzer können erstmal nichts tun, es ist Aufgabe der Server-Admins "unzulässige" Autodiscover-Anfragen mit ihren Firewall-Einstellungen abzufangen.
Doch die Nutzer können etwas tun: Sie können auf ihre Privatsphäre achten und zu Open Source Linux Programmen wechseln!
Mehr dazu bei https://www.heise.de/news/Autodiscover-Exchange-Protokoll-leakt-Windows-Anmeldedaten-ins-oeffentliche-Netz-6199548.html
Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/7778-20210924-microsoft-outlook-bietet-hackern-moeglichkeiten.htm
Link im Tor-Netzwerk: http://a6pdp5vmmw4zm5tifrc3qo2pyz7mvnk4zzimpesnckvzinubzmioddad.onion/de/articles/7778-20210924-microsoft-outlook-bietet-hackern-moeglichkeiten.htm
Tags: #Windoes #Outlook #Mailprogramm #sozialeNetzwerke #Microsoft #Autodiscover #Cyberwar #Hacking #Verbraucherdatenschutz #Datenschutz #Datensicherheit #Ergonomie #Datenpannen #HTTP #Klartext
HTTP/2: The Sequel is Always Worse | PortSwigger Research
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. In this paper, I'll introduce multiple new classes of HTTP/2-exclusive threats caused by both implementation flaws and RFC imperfections.
Schon wieder eine #Stellenausschreibung
Webentwickler:in mit Schwerpunkt Frontend in Voll- oder Teilzeit für taz.de ab sofort gesucht
Die #taz war die erste online lesbare #Tageszeitung Deutschlands. Sie bietet nach wie vor alltäglich die Möglichkeit Dinge anders zu machen und ist immer noch #Konzern-unabhängig.
Willst Du mit uns die zunehmend digitale #Zukunft des #Journalismus gestalten? Wir bieten ein kooperatives #Umfeld, das Raum für #Weiterentwicklung und #Kreativität lässt, aber auch strategisches #Denken erfordert und die Bereitschaft, alltägliche Probleme auch eigenverantwortlich zu lösen.
Wir suchen zeitnah ein:e Kolleg:in mit praktischer Berufserfahrung in der Webentwicklung, gerne auch als Quereinsteiger:in. Wichtig ist uns, dass Du nicht nur teamfähig bist, sondern bevorzugt gemeinsam arbeitest, auch mit technischen Laien.
Im #Frontend-Bereich von taz.de stehen viele Veränderungen an. Derzeit gestalten und bauen wir unseren Verlagsbereich neu. Als nächstes plant die #taz, den redaktionellen Bereich zu relaunchen. Dabei werden wir vieles überdenken und verändern. Neben der Pflege und der Weiterentwicklung von taz.de erwartet dich ein bunter Strauß an Themen: #Datenschutz, #Tracking, #Ads, #SEO, strukturierte #Daten, #Feeds, #Barrierefreiheit und vieles mehr.
Anforderungen:
- Grundlegende Kenntnisse der für Web-Applikationen nötigen Standards ( #HTML5 , #DOM , #XML , #XSLT , #CSS3 , #JS , #JSON , #HTTP , #REST)
- Sicherer Umgang mit #ES6 , #jQuery und #CSS-Präprozessoren und -frameworks sind wünschenswert
- Du kannst auch ohne #Frameworks responsive #Seiten erstellen, die #crossbrowser funktionieren - eine gewisse Lust auf Urschleim ist nicht verkehrt
- Wir setzen auf Serversite #Rendering und #XML als Datengrundlage, die sich aus verschiedenen #CMS speist. Bislang setzen wir auf #xslt. Das wollen wir durch serverside javascript ablösen.
- Prima wären Erfahrungen mit #nodejs
- Interesse an #UX und #UI
- Einarbeitung und Weiterentwicklung von #Fremdcode
- Sicherer Umgang mit #Versionierungssystemen
- Erfahrungen im Nachrichten- und Verlagsumfeld wären von Vorteil
- Sehr gute #Selbstorganisation
Wenn Du Lust darauf hast, in einem nach wie vor politisch motivierten Umfeld als Teil des Web-Entwickler:innen-Teams auch abteilungsübergreifend mit vielfältig interessanten Menschen, mit Produktentwicklung, EDV, Redaktion und Verlag zusammenzuarbeiten, melde Dich.
Bei der taz bieten wir nicht nur ein kollegiales Arbeitsumfeld, sondern auch familienfreundliche #Arbeitszeiten (flexible #Vollzeit 36,5h/Woche, remote-Arbeit aktuell bis auf Weiteres aufgrund von #Corona erwünscht, auch danach ist prinzipiell #Home-Office möglich, 30 Tage #Urlaub) – es gibt ein ordentliches (und subventioniertes) #Mittagessen im taz-Café.
Wir wollen diverser werden. Deshalb freuen wir uns besonders über Bewerbungen von People of Color und Menschen mit Behinderung. Deine Perspektiven sind uns wichtig und sollen in der taz vertreten sein. Die Arbeitsplätze und Toiletten sind weitestgehend #barrierefrei. Das taz-Café ist mit dem #Rollstuhl erreichbar.
Schicke uns deine #Bewerbung und zeige uns, welche Kenntnisse und Erfahrungen Du gerne bei der taz entfalten würdest.
Es handelt sich um eine volle unbefristete Stelle ab taz-Lohngruppe V. Auch Teilzeit wäre denkbar, wenn Vollzeit für dich nicht möglich ist. Arbeitsaufnahme zum nächst möglichen Zeitpunkt. Schreibe uns gerne, ab wann Du einsteigen könntest und richte Deine Bewerbung an webjob@taz.de.
Wir freuen uns auch über Weiterleitung, ihr findet die Stellenausschreibung auch unter https://taz.de/jobs
