Hacker News: kro

New comment by kro in "Migrating from DigitalOcean to Hetzner"

kro — Sat, 18 Apr 2026 14:15:15 +0000

Hetzner normally advertises their hardware servers as 2x 1 TB SSD, because it's strongly recommended to run them in SWraid1 for net 1TB. (Their image installer will default to that)

Once the first SSD fails after some years, and your monitoring catches that, you can either migrate to a new box, find another intermediate solution/replica, or let them hotswap it while the other drive takes on.

Of course though, going to physical servers loses redundency of the cloud, but that's something you need to price in when looking at the savings and deciding your risk model.

And yes, running this without also at least daily snapshotting/backup to remote storage is insane - that applies to cloud aswell, albeit easier to setup there.

New comment by kro in "OpenSSL 4.0.0"

kro — Tue, 14 Apr 2026 19:13:38 +0000

Nginx mainline 1.29.x supports it. So once you get that and also the openssl version on your system, good to go. Likely too late for ubuntu 26.04, maybe in debian 14 next year, or of course rolling release distros / containers.

But, in a personal/single website server, ech does not really add privacy, adversaries can still observe the IP metadata and compare what's hosted there. The real benefits are on huge cloud hosting platforms.

New comment by kro in "A new spam policy for “back button hijacking”"

kro — Tue, 14 Apr 2026 18:56:43 +0000

The URL does not even need to change, you can pushState with just a JavaScript object, catch the pop and do something like display a modal. (I use this pattern to allow closing fullscreen filter overlays the user opened)

Still, requires user interaction, on any element, once. So the crawler needs to identify and click most likely the consent/reject button. Which may not even trigger for Googlebot.

So they likely will rely on reports or maybe even Chrome field data.

New comment by kro in "A new spam policy for “back button hijacking”"

kro — Tue, 14 Apr 2026 04:59:55 +0000

It's a valid question how they detect it. As there are valid usages, just checking for the existence of the function call would not be correct.

These sites likely pushState on consent actions so it appears like any user interaction.

New comment by kro in "Simplest Hash Functions"

kro — Sun, 12 Apr 2026 07:30:27 +0000

It's very very unlikely to get collisions there, but still not impossible. Whenever you map data of arbitrary length (infinite possibilities) to a limited length collisions are possible.

New comment by kro in "A cryptography engineer's perspective on quantum computing timelines"

kro — Mon, 06 Apr 2026 19:18:27 +0000

I wonder, what is the impact of this to widely deployed smartcards like credit cards / EID passports?

Aren't they relying on asymmetrical signing aswell?

New comment by kro in "A cryptography engineer's perspective on quantum computing timelines"

kro — Mon, 06 Apr 2026 19:11:55 +0000

The argument to skip hybrid keys sounds dangerous to me. These algorithms are not widely deployed and thus real world tested at all. If there is a simple flaw, suddenly any cheap crawler pwns you while you tried to protect against state actors.

New comment by kro in "German implementation of eIDAS will require an Apple/Google account to function"

kro — Sun, 05 Apr 2026 10:10:36 +0000

It will likely display something like a QR Code with signature anyways, otherwise it's just a glorified passport picture?

Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.

So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.

New comment by kro in "Post Mortem: axios NPM supply chain compromise"

kro — Sat, 04 Apr 2026 07:20:12 +0000

I really don't get this either, I've always removed axios when it was preinstalled in a framework.

I use "xhr" via fetch extensively, it can do everything in day to day business for years with minimal boilerplate.

(The only exception known to me being upload progress/status indication)

New comment by kro in "Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot"

kro — Fri, 27 Mar 2026 15:52:48 +0000

In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.

New comment by kro in "Google details new 24-hour process to sideload unverified Android apps"

kro — Fri, 20 Mar 2026 12:54:37 +0000

Not advocating for cashless only, but cash also has costs: banks charge for deposits and coinrolls, and you need to protect against robbery

New comment by kro in "SSH has no Host header"

kro — Wed, 18 Mar 2026 05:53:41 +0000

Almost certainly it does, as public key auth takes place after setting up the session encryption

New comment by kro in "Cert Authorities Check for DNSSEC from Today"

kro — Mon, 16 Mar 2026 17:32:31 +0000

I have a setup with separated dns and domain since 2021. Using a CSK with unlimited lifetime, I never had to rotate. And could easily also migrate both parts (having a copy of the key material)

The master is bind9, and any semi-trusted provider can be used as slave/redundency/cdn getting zonetransfers including the RRsigs

New comment by kro in "Remotely unlocking an encrypted hard disk"

kro — Fri, 06 Mar 2026 05:52:47 +0000

TPM is good when combined with secureboot and these hashes being part of the attestation, that eliminates initramfs swapping. Still with Physical access being a factor bustapping can happen, ftpm - if available - is much harder to crack then than a discrete module.

https://news.ycombinator.com/item?id=46676919

New comment by kro in "Remotely unlocking an encrypted hard disk"

kro — Thu, 05 Mar 2026 21:54:34 +0000

TPM definitely rises the effort by a lot to break it. But by default the communication with it is not encrypted, so especially for modules not built into the cpu wire/bus-tapping is a thing.

https://news.ycombinator.com/item?id=46676919

New comment by kro in "Remotely unlocking an encrypted hard disk"

kro — Thu, 05 Mar 2026 21:46:37 +0000

Good FAQ, clearly stating the weak point of physical access. For a server that threatmodel can work, for a fleet of edge/iot devices in unsecured locations without permanent uptime there is no real solution to be expected without custom silicon logic (like in smartcards) on the soc.

New comment by kro in "Payment fees matter more than you think"

kro — Tue, 03 Mar 2026 22:09:18 +0000

In general I'm all for free and European systems, but SEPA payments imo still have pain points:

- you can send money to companies and individuals alike. It's easier to trick people into fake shop payments, a card payment provider requires at least a bit it verification/registration

- it's really hard to dispute/call back sepa payments. The card companies often step in there afaik

New comment by kro in "Robust and efficient quantum-safe HTTPS"

kro — Sun, 01 Mar 2026 13:51:56 +0000

The title is vague, my first thought was "We already have MLKEM". Which is enough against passive attackers.

The article apparently is about the CA/certs for authenticating the server, a part of HTTPS

New comment by kro in "We Do Not Support Opt-Out Forms (2025)"

kro — Tue, 27 Jan 2026 16:41:20 +0000

+1, Even if they validate DKIM/SPF+alignment (aka DMARC) that would only verify the domain. There is no local part verification possible for the receiver, the sending server needs to be trusted with proper auth

New comment by kro in "Getting a Gemini API key is an exercise in frustration"

kro — Thu, 11 Dec 2025 05:59:32 +0000

Agree, Google made it really easy here, compared to using service account certificates like with some of their other APIs.