For the query string, you don’t have to implement your own DSL. Elasticsearch supports it out of the box. You could POST a JSON object to “/_search” but you can also do a GET with the “q” query parameter.
Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/curr...
In the Golang library you can use the “Search.WithQuery” option. This means you don’t have to construct a JSON request body.
Very interesting product! How does this compare to something like Nebula? Have you done benchmarks against other solutions? If i remember correctly, Nebula implements its own protocol and underperforms compared to Wireguard. Is this the same case?
I am writing some comparisons to other tech incl. Nebula, its not publicly published yet, but I can give a few bullets. WRT to performance, better to compare OpenZiti to Nebula rather than zrok, we did some last year - https://netfoundry.io/benchmark/benchmarking%20open%20source....
A few points of comparison:
- Nebula is focused on connecting machines, OpenZiti is on securing services. This is due to Ziti implementing zero trust networking principles – e.g., you can authorize only a single port without needing to set up ACLs or firewall rules.
- While Nebula requires open inbound ports or UDP hole punching, OpenZiti allows you to have all inbound and most outbound ports completely closed while providing truly private, zero trust DNS entries with unique naming – if you wanted to call your service "my.secret.service" you can do that, it does not force you to have a valid Top Level Domain.
- OpenZiti also goes a layer deeper to bring zero trust principles directly into your application. If you're a developer, you can embed all those ideas into your app and not rely on the network or side-loaded agents. This is both client and server-side and doesn't require the app to "listen" on an IP address (the underlay). Instead, you can choose to "listen" on the overlay.
I remember trying out Portmaster on Windows earlier this year. I think Portmaster was running a local DNS server to see what connections were being made. This interfered with my VPN, Mullvad, which was trying to use a remote DNS server.
Does Portmaster still require a local DNS server? I’ve been an avid user of Glasswire for years and it works flawlessly with my VPN. But i would love to switch to a open source alternative.
Portmaster still (and probably always will) require a local DNS server. Why? Because there is not always and will be less ways in the future to find out which Domain an IP address belongs to.
GlassWire will probably become quite blind as soon as TLS1.3 is rolled out and working as intended.
I will look into Mullvad compatibility again in the coming weeks. I think they also improved some stuff on their side.
User from 2 weeks ago: "Can confirm that Portmaster V.1.0.0 with Mullvard V2022.4 DNS set to 127.0.0.1 and the same setting on the netwerk controller both can life together." from https://github.com/safing/portmaster/issues/313
I think it’s because SPN uses a different IP/node per connection you make. DNS leak detection tests will ask your browser to resolve unique subdomains. If the DNS server that requests the lookup is different from your connecting IP to the website, they will say you have a DNS leak.
That would be true if would be resolving all DNS yourself. Nowadays everyone uses a recursive resolver. See my other answer for details about this case.
I’m confused on why secret management considered secure. Maybe I’m missing something.
Why is letting a third party managed your secrets is secure? So if that third party gets compromised, they now have access to all your secrets. Amazon or other company employees can also view your secrets.
If your server gets compromised, the secrets that are accessible via that server are also compromised. Isn’t that the same impact as just keeping the secrets on your server? Maybe worse if your permissions are broad. You’re merely adding an extra step to get the secret from your secret management.
Speaking for EnvKey (mentioned above—I’m the founder), we use client-side end-to-end encryption to address this concern. Secrets cannot be accessed on an EnvKey server.
I’m biased, but I share your skepticism of secrets management services that don’t use end-to-end encryption. It’s not a wise choice for either the service provider or its users.
If I need access to a decryption key to read my secrets or to provide my secret to a process
I still have to manage my decryption key which means I might as well use that process to manage my secret
...and you managing your own secrets is way better than a third party?
wake up people, its all the same types of servers managing the same type of passwords with the same types of security layers, not one is better than the other! nobody has a 'secret sauce' to storing your passwords.
The Vault will not prevent someone who has login access to your database and the right grants (or superuser) from decrypting the data. If someone is in this position they are fully compromised and the Vault is not protection against that (nor is anything else really).
In particular if an attacker has a postgres superuser login they can essentially asct as the OS process owner, and could possibly get around the process hardening we already employ to reduce that risk, but again Vault is not designed to protect against a full superuser exploit. You must carefully guard database login access.
However, the secret data that is stored on disk, in WAL logs, and in database dumps is encrypted. This way you are ensured that your secrets are encrypted at rest. The Vault also provides using standard Postgres privilege access control (via GRANT/REVOKE) to control access to the decrypted data.
I wasn't talking just about pgsodium or the vault product but similar products in general.
I understand the point of the database client having access to to the database key and not the key to the secret vault. So in this case other secrets at the vault are essentially protected. But let's say I really have this one secret to protect in which case is the vault fairly pointless?
Is it essentially that if a client using KeyX for some purpose than a compromise of said client will essentially lead to KeyX and there's really no way to protect it?
I’m not sure I understand the value of reporting this to Microsoft? Wouldn’t it be better to submit an online tip to law enforcement? Is Microsoft doing law enforcement activity now?
The website says its secure and private, but your privacy policy contradicts it. Seems like you don’t collect usage data, but the ad providers do. Is it right to make such a privacy claim?
“Ad targeting, selection, and delivery: When you use our Services, third parties that provide advertising, to the Services, may collect or receive information about you including through the use of cookies. These third parties may use your information to provide you with advertising that is based on your interests and to measure and analyze ad performance, on our Services or other websites or platforms, and combine it with information collected across different websites, online services, and other devices. These third parties' use of your information will be based on their own privacy policies. You can opt out of interest-based targeted advertising for some advertising partners here.”
In the Golang library you can use the “Search.WithQuery” option. This means you don’t have to construct a JSON request body.
Here’s an example: https://github.com/taythebot/archer/blob/main/pkg/elasticsea...