Profile avatar
spazef0rze.bsky.social
In your web, securing your app. Hacker, webdev, speaker, engineer. Security shoptet.cz, ex-report-uri.com, ex-teenager. HTTPS = How To Transfer Private ShπŸ’©. Also https://infosec.exchange/@spazef0rze
32 posts 1,047 followers 49 following
Regular Contributor
Conversation Starter
Posts 19 Comments 17

Newcomers to password cracking should learn that in 1991 the 1st well known password cracker @alecmuffett.bsky.social's Crack introduced applying rules & permutations to dictionary words, such as substituting numbers for letters, reversing words, appending digits, & other common user habits. 1/3

submitted 4 days ago β€’ 3 comments

Some time ago, my mobile Chrome seemingly removed the option to view page source by prefixing the URL with `view-source:`. It always goes to Google whenever I hit Enter on the on-screen keyboard. Not sure why, but now you have to select/tap the other item in the URL bar, the one with the globe.

submitted 10 days ago β€’ 1 comment

New Safari is going to show a warning when HTTPS uses 3DES cipher suites which should not really be used anymore github.com/WebKit/WebKi... The warning will be similar to the TLS 1.0/1.1 warning. Safari Tech Preview 213 already shows it webkit.org/blog/16461/r...

submitted 25 days ago β€’ 0 comments

Let's Encrypt is ending their certificate expiration notification emails in June letsencrypt.org/2025/01/22/e... I liked the service not as primary means of notifying me I should renew my certs, but as a notification that the renewal has failed. A renewal failure usually means I messed something up.

submitted 31 days ago β€’ 1 comment

Nice 0-click deanonymization attack targeting Signal and Discord using Cloudflare cache metadata in the Cf-Ray HTTP header that contains the data center code (e.g. PRG for Prague). The reporter found a way to ask Cloudflare datacenters if the resource is cached there gist.github.com/hackermondev...

submitted 44 days ago β€’ 0 comments

Had to send someone a hard drive with some data and wanted to know if no one had copied them when the drive was in the hands of the courier company. Yes, that's "tamper-evident" nail polish and tape πŸ’…

submitted 50 days ago β€’ 3 comments

"We and our 1276 technology partners ask you to consent to the use of cookies to store and access personal data on your device." 1276... technology... partners. I don't usually see those popups, my content blocker hides them, but this one caught my attention... that's a crazy number.

submitted 78 days ago β€’ 2 comments

Let’s Encrypt will begin offering short lived certificates (6 days) next year! letsencrypt.org/2024/12/11/e...

submitted 83 days ago β€’ 2 comments

It is quite interesting, but not unexpected, that rejecting an invalid CVE takes more time than publishing the invalid CVE. Publishing an invalid CVE can be (ab)used to DoS builds or CI/CD pipelines when you also check for vulnerable 3rd party libs (which you should) and block the build when found.

submitted 83 days ago β€’ 1 comment

Safari 18.2 released 3 days ago has HTTPS-first/by-default mode: "Safari 18.2 on iOS, iPadOS, and visionOS will always try to load webpages over secure connections first, i.e. HTTPS by default. Only if the secure page load fails will Safari fall back to non-secure HTTP." webkit.org/blog/16301/w...

submitted 88 days ago β€’ 2 comments

Just discovered a cool fact: "the last day of February, April 4 (4/4), June 6 (6/6), August 8 (8/8), October 10 (10/10), and December 12 (12/12) all occur on the same day of the week in any year." This year it's Thursday, today. en.wikipedia.org/wiki/Doomsda...

submitted 88 days ago β€’ 2 comments

I love website easter eggs! og:image is a pic displayed when the link is shared on Facebook etc. and in this case it's just a logo but still. Nice one altisport #iddqd

submitted 93 days ago β€’ 0 comments

A planned DSL outage earlier today, but luckily they gave me unlimited mobile data to use during the outage, or so they thought. Turned out the cell tower was also affected πŸ˜†

submitted 93 days ago β€’ 0 comments

I was worried for a second that browsers like Chrome, Edge and Firefox will soon run out of version numbers (all are version 131 now) but then I checked my Teams version number: You have Microsoft Teams version 24295.605.3225.8804.

submitted 102 days ago β€’ 2 comments

nginx 1.27.3 released yesterday disabled TLS 1.0 and TLS 1.1 protocols by default, nice nginx.org/en/CHANGES

submitted 103 days ago β€’ 0 comments

Currently listening to @scotthelme.bsky.social and @troyhunt.bsky.social talking about PCI DSS (Payment Card Industry Data Security Standard) 4.0.1 new requirements, Magecart attack (more like attacks, sadly) and stuff.

submitted 103 days ago β€’ 0 comments

Signature-based SRI is being spec'd right now: wicg.github.io/signature-ba... This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3). Please chime in and share your use cases: github.com/WICG/signatu...

submitted 111 days ago β€’ 4 comments

Hey BlueSky! I case you missed it: I've created cspbypass.com A site where you can search for known CSP bypass gadgets to gain XSS. It already contains a bunch of useful gadgets with contributions from your favourite hackers. If you have some CSP bypasses to share, feel free to contribute!

submitted 115 days ago β€’ 1 comment

Origin, site, eTLD, eTLD+1 and PSL are the terms I use in almost every post or talk and I needed a place to explain and compare them. This post started as a talk about something completely different, so... now I have to write the original one, too πŸ˜… www.michalspacek.com/origin-site-...

submitted 115 days ago β€’ 0 comments