• 0 Posts
  • 10 Comments
Joined 1 year ago
cake
Cake day: June 27th, 2023

help-circle
  • Indeed, not classically, but there are HSTS preload lists you can put your domain into which will be downloaded by supported browsers.
    And via HSTS you can include all your subdomains, which would then force proper TLS connections for those you havent visited before too.

    With the new TLS1.3 version we are getting the HTTPS / “SVCB” Record which not only allows ECH but also indicates to the client similar protection policies like HSTS. (RFC 9460)
    ECH will then make such attacks impossible on TLS-level, assuming DNSSEC is used and client can make an integrity-checked lookup e.g. via DoH/DoT or validating DnsSec themselves.
    The strength of this depends on the security-chain you want to follow of course. You dont need DNSSEC, but then the only integrity-check is between DNS-Service and Client if they use DoH/DoT (which is usually enough to defeat local attackers)










  • To be fair, they are talking about the OpenAI end user version, not the models themselves.
    Its still sketchy to send your data willingly to them and hope because you pay per request, its not getting tracked and saved.
    My company is deep into microsoft, so we all get Bing Chat Enterprise.
    Microsoft says it doesnt store anything and runs on separate systems… i guess with a company-offer they are more likely to put more protections in place because a breach would mean real consequences.
    (opposed to a breach with end-users, most of which dont care or would ever go through the legal trouble)