You know what was an actual issue, that any AI would have correctly identified as an issue, but HackerOne dismissed? the 1.1.1.1 rogue certificate that later made the news...

Really neat! It seems backspace in autocomplete is broken: it does NOOP (OSX Safari & Chrome)

Sorry, going to redeploy the docs today, it’s already fixed in the latest patch

I built https://SSLboard.com to manage your certificates at any scale and see what’s deployed, where and how. It’s using Certificate Transparency to inventory your certificates so it requires minimal input but provides a complete audit of deployed certificates.

Automation isn't enough: qualys.com (famous for SSLLabs.com) is currently serving an expired certificate (expired 8 days ago). They know their job very well, but without a tool to thoroughly and systematically inventory your certificates, you'll miss it.

Thanks

My HackerOne dismissal reads

"Although your finding might appear to be a security vulnerability, after reviewing your submission it appears this behavior does not pose a concrete and exploitable risk to the platform in and on itself. If you're able to demonstrate any impact please let us know, and provide an accompanying working exploit."

I was disappointed, and as far as I'm concerned, HackerOne is 2/2 dismissals.

We'll have AGI the day an AI mocks us for trying to censor it

Maybe we should avoid training AI with AI-generated content: that's a use case I would defend.

Still I believe MIME would be the right place to say something about the Media, rather than the Transport protocol.

On a lighter note: we should consider second order consequences. The EU commission will demand its own EU-AI-Disclosure header be send to EU citizens, and will require consent from the user before showing him AI generated stuff. UK will require age validation before showing AI stuff to protect the children's brains. France will use the header to compute a new tax on AI generated content, due by all online platform who want to show AI generated content to french citizens.

That's a Pandora box I wouldn't even talk about, much less open...

> The EU commission will demand its own EU-AI-Disclosure header be send to EU citizens, and will require consent from the user before showing him AI generated stuff. UK will require age validation before showing AI stuff to protect the children's brains. France will use the header to compute a new tax on AI generated content, due by all online platform who want to show AI generated content to french citizens.

I think the recent drama related to the UK's Online Safety Act has shown that people are getting sick of country-specific laws simply for serving content. The most likely outcome is sites either block those regions or ignore the laws, realizing there is no practical enforcement avenue.

> Maybe we should avoid training AI with AI-generated content: that's a use case I would defend.

if this takes off I'll:

   - tag my actual content (so they won't train on it)
   - not tag my infinite spider web of automatically generated slop output (so it'll poison the models)

win win!

then they'll start ignoring the header and it'll be useless

(of course, it was never going to be useful)

Content-Type/MIME type is for the format.

There are dedicated headers for other properties, e.g. language.

Actually you're 100% correct.

Feels weird to me that encoding is part of MIME, but language isn't, although I understand why.

Yeah. The reason is that charset is a specific to text types. Language can apply to many media.

Though FWIW, I think the Content-Encoding header is basically a mistake, should should been Content-Transform.

It depends but for example if I wanted to train a LoRa that outputs a certain art style from a specific model, I have no issue with this being done. Its not like you are making a model from scratch.

You could see expiring certificates as a chance to examine your security regularly: protocols and ciphers change, bugs are fixed, vulnerabilities are discovered and fixed.

Setup and forget is never good for security. From what I see with sslboard.com (I'm the founder), all hosts serving old expired certificates also have bad TLS versions and ciphers (RC4, DES) and vulnerabilities.

I think it's more a matter of scale. If you need SSL certificates for hundreds of appliances and you want to manage it, rather than hack it, that's the product you need.

There's a scale beyond which the real challenge isn't issuing a certificate.

I see organisations with thousands of SSL certificates, and their struggle is real. Even reputable companies with huge teams have their certificates expire or served badly. Some serve expired certificates for years!

Plus, enterprise alternatives are extremely costly and rigid.

All the more reason to automate renewing of certificates.

Sure! yet automation only solves one problem (until it doesn't). Inventory and control/accountability is still needed at scale, and automation doesn't provide it.

Seeing how people are worried about third parties issuing certificates, I encourage using a tool to monitor CT Logs. It really makes the fog of war disappear around your certificates.

https://crt.sh for point in time checks, https://sslboard.com for comprehensive oversight (disclosure: I'm the founder)