Thibault

SMS frauduleux et Imsi-catchers : les dessous d’une escroquerie dernier cri La justice française enquête sur une arnaque inédite, avec des centaines de milliers de cibles bombardées de messages attribués à l’Assurance maladie ou contactées par de faux conseillers bancaires gr...

Ça me rappelle l histoire des IMSI catchers dans une valise à Paris www.liberation.fr/societe/poli...

Privacy doesn't have to be slow. Great work from the team to improve the speed of Privacy Pass double spend checks. Now below 1ms

If it helps, the example you present is using RFC9421 with "web-bot-auth" tag as proposed in datatracker.ietf.org/doc/draft-me...
The draft provides context as to why we believe cryptography can help here.
Disclaimer: I'm an author for that draft, feedback welcome

A great talk for a great work. After the video, I'm still puzzled about the outcome, and if the draft has been adopted by the WG, or even has a "related" label. Do you know the current status?

Need 👀

Nice

Message Signatures are now part of our Verified Bots Program, simplifying bot authentication Bots can start authenticating to Cloudflare using public key cryptography, preventing them from being spoofed and allowing origins to have confidence in their identity.

Bots can start authenticating to Cloudflare using public key cryptography, preventing them from being spoofed and allowing origins to have confidence in their identity. blog.cloudflare.com/verified-bot...

Normalement prévu pour septembre. Date à confirmer.

Welcome back!

My exact thought when I've seen the venue. Really looking forward

Making an end to end encrypted video calling app is easy. Just subscribe to @cloudflare.social blog, read MLS RFC, and write TLA+.
Then enjoy the demo at e2ee.orange.cloudflare.dev

Cliff, sea, sun, in the south of France. Vertical photo

From where I'm standing, it looks close enough

[Des lampes a lave pour securiser Internet] Thibault Meunier · Issue #113 · GDGToulouse/meetup-cfp Language of the talk: 🇫🇷 🇬🇧 Note to the organiser: I can do both, and am more familiar with English in presentation. However, I understand the audience is local and French sounds more approachable....

J'ai pas trouvé d'email, mais j'ai mis une issue sur GitHub github.com/GDGToulouse/...
Affaire à suivre

Accept HTTP Message Signatures (RFC9421) by oneiros · Pull Request #34814 · mastodon/mastodon This PR adds support for accepting HTTP Message Signatures in addition to the draft version(s) we already support today. A huge difference between the draft and final version is that the former use...

HTTP Message Signatures (RFC version) got merged into Mastodon
github.com/mastodon/mas...

@cjpatton.bsky.social this one is for you I think

All the ways I want the AI debate to be better A lot of rules and ideas for talking about AI

I wrote what turned into a small book with all my big takes on AI and the ways I'd like to see the debate improve
andymasley.substack.com/p/all-the-wa...

Des renforts pour ?
J'avais l'impression que l'émission (au top) s'était arrêté il y a environ un an

Top! Je vais envoyer un message

Possiblement @swallez.com ou @feudaratifice.com vous avez des recommendation

À la base c'était pour le @devfesttoulouse.fr, mais je ne serai pas sur Toulouse à ce moment là

Harnessing chaos in Cloudflare offices This blog post will cover the new sources of “chaos” that have been added to LavaRand and how you can make use of that harnessed chaos in your next application.

Il y a un meetup sur Toulouse pour parler Internet et cryptographie ?
Je pense à présenter les lampes à lave de Cloudflare.
On a fait un article dessus il y a un an blog.cloudflare.com/harnessing-o...

Finally a browser for pdf with a two column template

Esphome c'est de la magie noire. Ça peut faire une conf très sympa, avec pleins de capteurs et émetteurs différents.
Je les gère avec l extension esphome builder, c'est vraiment pratique.

Screenshot of Obsidian 1.9.0 showing a base with a list of books

Introducing Bases, a new core plugin that lets you turn any set of notes into a powerful database. With Bases you can organize everything from projects to travel plans, reading lists, and more.

Bases are now available in Obsidian 1.9.0 for early access users.

Pour confirmer car ta nouvelle formulation est assez subtile: les données sont envoyées à Google dans les deux cas. Seulement, sur la version gratuite, elles servent également à de l'entraînement.
C'est ça ?

Forget IPs: using cryptography to verify bot and agent traffic Bots now browse like humans. We're proposing bots use cryptographic signatures so that website owners can verify their identity. Explanations and demonstration code can be found within the post.

Using Internet standards to improve the the way automed traffic / bots can interact with the world. Namely two methods: HTTP Signatures (RFC 9421) and req mTLS flag (draft-jhoyla-req-mtls-flag)

blog.cloudflare.com/web-bot-auth/

Thanks for reading

The work is not only mine, and a huge shoutout to all involved.
If you got to this point, just share a comment or shout me a message. I'd love to discuss.

Want to read more

The work is being discussed within the IETF, an Internet standards organisation.
You can find discussion on web-bot-auth mailing.
For the proposed standard, check datatracker.ietf.org/doc/draft-me....

import { signatureHeaders } from "web-bot-auth" const request = new URL(details.url); const created = new Date(); const expired = new Date(created.getTime() + 300_000) // Perform request signature const headers = signatureHeaders( request, new Ed25519Signer(jwk), { created, expires } );

Compatibility with existing web

The good thing: it works today. We provide examples with a Chrome extension, a Caddy plugin, and a Cloudflare Workers.
With a few lines of JS, your bot/website is ready to go.
All is on GitHub github.com/cloudflarere...

GET /path/to/resource Signature: abc== Signature-Input: sig=(@authority signature-agent); \ created=1700000000; \ expires=1700011111; \ keyid=ba3e64==; \ tag=web-bot-auth Signature-Agent: signer.example.com

How does it work

One proposed solution relies on HTTP Message Signatures (RFC 9421). Bots sign the host of the request they are making, add a validity window, and send the signature with the request.
See the demo http-message-signatures-example.research.cloudflare.com.