Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Reed Mideke (reedmideke@mastodon.social)'s status on Thursday, 21-Nov-2024 06:15:23 JST Reed Mideke

   in reply to

   "Typing x.com into your browser also redirects you to twitter.com because the Twitter-to-X transition is woefully incomplete"

   This is one of the reasons It's Complicated, because if you aren't careful you create redirect loops. They seem to have avoided the most catastrophic one at least…

   https://arstechnica.com/tech-policy/2024/04/elon-musks-x-botched-an-attempt-to-replace-twitter-com-links-with-x-com/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

2. Embed this notice
   Reed Mideke (reedmideke@mastodon.social)'s status on Thursday, 21-Nov-2024 06:15:21 JST Reed Mideke

   in reply to

   Moral of the story, you should never, ever use a 301 without explicitly controlling caching, but vast chunks of the web don't do this (including many registrars "redirect this domain to another site" functionality 😱 ). Anyway, good news for X/twitter is they have not made that particular mistake with x.com

3. Embed this notice
   Chicken :cqlgusu: (lookitmychicken@blorbo.social)'s status on Monday, 18-Nov-2024 19:34:55 JST Chicken :cqlgusu:

   in reply to

   oh ick apparently the press photos get posted to x.com. I don't have an account there any more and I'm not going to create one. So I just have to wait for them to pop up elsewhere.

4. Embed this notice
   zunda (zundan@mastodon.zunda.ninja)'s status on Monday, 18-Nov-2024 08:02:16 JST zunda

   twitter.comさんとx.comさんはサーバ証明書が同一なのがおもしろいよねえSafariさんとかだとTLS切らずにリダイレクトされそうだよねえ

   $ :| openssl s_client -connect x.com:443 -servername x.com 2>/dev/null | openssl x509 -noout -serial
   serial=04E1056104670BD06CDF33A38B67A431
   $ :| openssl s_client -connect twitter.com:443 -servername twitter.com 2>/dev/null | openssl x509 -noout -serial
   serial=04E1056104670BD06CDF33A38B67A431

   って思ったらDNSが微妙に違うw

   $ dig +short x.com
   104.244.42.1
   $ dig +short twitter.com
   104.244.42.1
   104.244.42.65
   104.244.42.193
   104.244.42.129

5. Embed this notice
   Cory Doctorow (pluralistic@mamot.fr)'s status on Saturday, 28-Sep-2024 15:33:50 JST Cory Doctorow

   A pretty clever phishing email: I got a message warning me that my Twitter account was about to be suspended for suspicious activity, inviting me to click a button to prevent this. The URL the button went to *was* an x.com link, but it used a security vulnerability in Twitter's backend that allowed redirections to push me to an OATH server that would prompt me for my Twitter login and 2FA, and then send the attacker a valid token they could use to take over my account:

6. Embed this notice
   Camarada Gato (maotongzhi@ayom.media)'s status on Thursday, 19-Sep-2024 04:10:51 JST Camarada Gato

   @cadusilva honestamente, isso não é algo impossível de lidar.

   É só obrigar as operadoras a colocar nos servidores DNS delas, uma configuração apontando twitter.com para 0.0.0.0 e x.com para 0.0.0.0

   Fazendo assim, o serviço de CloudFlare não é acessado, e sim um IP que está fora de qualquer rede.