• 0 Posts
  • 51 Comments
Joined 1 year ago
cake
Cake day: June 27th, 2023

help-circle

  • Indeed, not classically, but there are HSTS preload lists you can put your domain into which will be downloaded by supported browsers.
    And via HSTS you can include all your subdomains, which would then force proper TLS connections for those you havent visited before too.

    With the new TLS1.3 version we are getting the HTTPS / “SVCB” Record which not only allows ECH but also indicates to the client similar protection policies like HSTS. (RFC 9460)
    ECH will then make such attacks impossible on TLS-level, assuming DNSSEC is used and client can make an integrity-checked lookup e.g. via DoH/DoT or validating DnsSec themselves.
    The strength of this depends on the security-chain you want to follow of course. You dont need DNSSEC, but then the only integrity-check is between DNS-Service and Client if they use DoH/DoT (which is usually enough to defeat local attackers)













  • I would be careful with some of these providers depending on your usage.
    You are potentially sending a ton of info to them…

    I have access to Bing Chat Enterprise through my company, and only because its the Enterprise version i am half confident in using it with more restrictive data.
    Though the frontend of copilot is so heavy and sucks, so i have a proxy for GPT-API to Bing Chat.
    Had hoped GPT4All Bing provider would support login, but sadly not, so essentially had to reimplement it all myself.