Experience sessions like this live at SharkFest'25 US, happening June 14–19 in Richmond, VA. Join industry experts and fellow enthusiasts for hands-on labs, in-depth lectures, and unparalleled networking opportunities.
https://www.youtube.com/watch?v=Cq6yj9se9M4
Secure your spot today: https://sharkfest.wireshark.org/sfus
Ooh, what’s this?… Look Over There!
(With apologies to Jaida Essence Hall)
So the little app I teased earlier is ready and deployed and I have our own instance running at:
https://look-over-there.small-web.org
Look Over There! lets you forward multiple domains to different URLs with full HTTPS support.
Why?
We have a number of older sites that are becoming a chore/expensive to maintain and yet I don’t want to break the web. So I thought, hey, I’ll just use the “url forwarding” feature of my domain registrar to forward them to their archived versions on archive.org.
Ah, not so fast, young cricket… seems some domain registrars’ implementations of this feature do not work if the domain being forwarded is accessed via HTTPS (yes, in 2025).
So, given Kitten¹ uses Auto Encrypt² to automatically provision Let’s Encrypt certificates, I added a domain forwarding feature to it and created Look Over There! as a friendly/simple app that provides a visual interface to it.
To see it in action, hit https://cleanuptheweb.org and you should get forwarded to the archived version of it on archive.org. I’m going to be adding more of our sites to the list in the coming days as part of an effort to reduce my maintenance load and cut down our expenses at Small Technology Foundation.
Since it’s Small Web, this particular instance is just for us. However, you can run your own copy on a VPS (or even a little single-board computer at home, etc.) A link to the source code repository is on the site. Once Domain³ is ready for use (later this year 
), setting up your own instance of a Small Web app at your own server will take less than a minute.
I hope this little tool, along with the 404→307 (evergreen web) technique⁴, helps us to nurture an evergreen web and avoid link rot. (And the source code, as little as there is because Kitten does so much for you, is a good resource if you want to learn about Kitten’s new class-based component and page model which I haven’t yet had a chance to properly document.)
Enjoy!
¹ https://kitten.small-web.org
² https://codeberg.org/small-tech/auto-encrypt
³ https://codeberg.org/domain/app
⁴ https://4042307.org
![Screenshot of the unauthenticated index page of Look Over There!, running at look-over-there.small-web.org.
Full text:
Look Over There!
(With apologies to Jaida Essence Hall)
Kitten logo: a minimalist illustation of an adorable kitten’s head with pink nose and ears. Made with Kitten
This is a domain redirection (URL forwarding) server.
Look Over There! was written to help with web archiving. You can use it to forward your old sites to their archived versions on archive.org (or to any other web URL) to ensure existing links to your site do not break.
Things you can do here
Administer this server[1]
View source[2]
Learn about Kitten, the Small Web framework/server used to create/run this app.
Requires authentication. ↩︎
And perhaps run your own server? ↩︎
Look Over There! automatically provisions SSL certificates redirected domains.
Due to Let’s Encrypt rate limits, you can add up to 98 redirections (maximum 10 every 3 hours).
Look Over There! is part of a series of tools and processes by Small Technology Foundation to cultivate an evergreen web where we don’t arbitrarily break old links.
Another such initiative is 404 → 307, where missing pages on the latest version of a site are forwarded to the old version of a site that is still running on a different server.
Kitten, which Look Over There! is written in, has native support for 404 → 307.](https://s3-eu-central-1.amazonaws.com/mastodon-aral/media_attachments/files/114/417/303/356/766/618/original/922cd5bd5949fb38.png)
Chatter: The Stealthy Chat System That Bypasses Firewalls
Discover Chatter, an innovative chat platform designed to mimic TLS 1.2 traffic while maintaining stealth and security. This article dives deep into its architecture, features, and the alarming implic...
https://news.lavx.hu/article/chatter-the-stealthy-chat-system-that-bypasses-firewalls
OpenSSL 3.5 is available now and will be supported until April 2030
https://www.admin-magazine.com/News/OpenSSL-3.5-Released?utm_source=mam
#OpenSSL #QuantumComputing #PQC #TLS #QUIC
Don't trust security check websites.
I just went through 10 online #TLS checkers from <https://techarry.com/top-ssl-tls-testing-tools-open-source-online-scanners/>, and only 2 of them (<https://testtls.com/> and <https://www.ssllabs.com/ssltest/>) even managed to scan the #IPv6-only site I was scanning. For all the others: How do you expect to run a comprehensive test when you can't even resolve half the addresses?
Die maximale Laufzeit von digitalen Zertifikaten für verschlüsselte Verbindungen zu Web- und anderen Servern wird sich künftig drastisch verkürzen. Im Jahre 2029 sind diese statt mit 398 Tagen nur noch mit 47 Tagen Laufzeit ausgestattet.
Zum Artikel: https://heise.de/-10352867?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon
happened early April, but worth sharing. Certs will only have 47 days of validity by 2029. validity lengths will progressively get shorter from march 2026 until then. Reusing domain validation material will be limited to 10 days.
IMO this is a very good thing.
this is diff to the very short validity certs that can be issued now. Lets Encrypt will offer 6 day certs by end of yr
I'm sure cleaner versions will be released, but here's the diff
How TCP really works: Top 3 things you need to know!
YouTube video with the amazing Chris Greer: https://youtu.be/Auwn3RWapRE
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
The maximum certificate lifetime is going down:
- As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
- As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
In the hope that someone here knows more Java than .. asking for a friend ... or something:
Is there a way to get more information from #Java when outbound #TLS connections fail (trust issues, for example)? And I do not want to enable debugging in the JVM; that would give me gigabytes of logs per second (yes, really). I basically want the application to make a connection, see it fail, and then handle that exception cleanly while also picking up precisely what the error was: Unknown CA, expired certificate, invalid usage flags, etc.
I'm clearly not a Java developer, just a sysadmin who is really frustrated with the extremely unhelpful Internet right now. I really don't need to be told "just turn off validation" or "just use ...javax.net.debug".
Folien vom Dozenten: "Sicherheit: Datenübertragung mit SSL-Protokoll"
Ich will hoffen, dass er TLS und nicht SSL meint
System Administration
Week 8, HTTPS & TLS
After discussing HTTP in the previous week and seeing how we used STARTTLS in the context of #SMTP, we are now quickly reviewing HTTPS, TLS, and the WebPKI. While we don't have a video segment for this, here are slides, including this handy diagram illustrating the CSR process:
Join Sake Blok for his pre-conference class at SharkFest'25 US on June 16th:
"SSL/TLS Troubleshooting with Wireshark"
This hands-on session will take your troubleshooting skills to the next level, helping you diagnose complex network issues like a pro.
Secure your spot: https://sharkfest.wireshark.org/sfus
System Administration
Week 8, The Simple Mail Transfer Protocol, Part II
In this video, we observe the incoming mail on our MTA, look at how STARTTLS can help protect information in transit, how MTA-STS can help defeat a MitM performing a STARTTLS-stripping attack, and how DANE can be used to verify the authenticity of the mail server's certificate.
So after listening to your feedback, I agree: let’s spend that money in the EU to create a publicly-owned, free and open ACME-compatible certificate authority.
See post quoted below, with links to Tom’s work as he’s already been thinking/working on this.
#EU #ACME #TLS #security #LetsEncrypt #technologyCommons #SmallTech https://mamot.fr/@tdelmas/114224564125819333
Let’s Encrypt at risk from Trump cuts to OTF: “Let’s Encrypt received around $800,000 in funding from the OTF”
Dear @EUCommission, get your heads out of your arses and let’s find @letsencrypt €1M/year (a rounding error in EU finances) and have them move to the EU.
If Let’s Encrypt is fucked, the web is fucked, and the Small Web is fucked too. So how about we don’t let that happen, yeah?
(In the meanwhile, if the Let’s Encrypt folks want to make a point about how essential they are, it might be an idea to refuse certificates to republican politicians. See how they like their donation systems breaking in real time…)
CC @nlnet @NGIZero@mastodon.xyz
#USA #fascism #OpenTechFund #LetsEncrypt #SSL #TLS #encryption #EU #web #tech #SmallWeb #SmallTech https://mastodon.social/@publictorsten/114223873439053263
@sbb@c.imAfter mulling over how to use SSL within a LAN in a way that I felt really satisfied with, it took me well over 20 years! Did that ever take a long time.
#SelfHosting #TLS #SSL #web #infosec
Are you currently using #Cockpit with the builtin self-signed #TLS #certificate fallback? We would like to deprecate this, but need your input for that. Thank you in advance!
https://github.com/cockpit-project/cockpit/discussions/21695
So, apparently, it is no longer possible to require #HTTPS client certificate authentication for a specific subtree when using #TLS 1.3, because renegotiation is no longer supported and there is no replacement protocol for “hey client, if you want to go in there, I'm gonna need to see your certificate first.”
Lovely. I was using that. 
