Maybe for your personal workstation this might be the experience you have.
But from my experience for enterprise there is RHEL, Suse and maybe Ubuntu Pro.
If you are an AWS Enterprise customer you might justify Amazon Linux
Also Oracle Linux and CIQ's version of Rocky, albeit in rather different niches.
I think Ubuntu Pro is more common in service providers that sell to enterprises rather than in enterprises themselves. It enables them to say "yes, we comply with all of these box-ticking standards that you require your vendors to have!" without bringing in much of the rest of the enterprise baggage.
SuSE is used more heavily than any of them - as others have said, they're used more or less everywhere where SAP is to be found, and they're very strong in the HPC space too.
My understanding is that you can use split mode to only have the load balancer decrypt the server name section, and forward the actual session and key exchange down to the backend without doing double layer encryption.
Only if the attacker has a valid certificate for the domain to complete the handshake with.
Relying on HTTPS and SVCB records will probably allow a downgrade for some attackers, but if browsers roll out something akin to the HSTS preload list, then downgrade attacks become pretty difficult.
DNSSEC can also protect against malicious SVCB/HTTPS records and the spec recommends DoT/DoH against local MitM attacks to prevent this.
DNSSEC can't protect against an ECH downgrade. ECH attackers are all on-path, and selectively blocking lookups is damaging even if you can't forge them. DoH is the answer here, not record integrity.
DNSSEC alone is obviously useless because any attacker interested in SNI hostnames can just as easily monitor DNS traffic.
However, DoH/DoT without record integrity is about as useful as self-signed HTTPS certificates. You need both for the system to work right in every case.
To quote the spec:
> Clearly, DNSSEC (if the client validates and hard fails) is a defense against this form of attack, but encrypted DNS transport is also a defense against DNS attacks by attackers on the local network, which is a common case where ClientHello and SNI encryption are desired. Moreover, as noted in the introduction, SNI encryption is less useful without encryption of DNS queries in transit.
I don't think this is true; I think this misunderstands the ECH threat model. You don't need record integrity to make ECH a strong defense against on-path ISP attackers; you just need to trust the resolver you're DoH'ing to.
This actually reminds me of the "God of the gaps" problem. A gradual retreat in the face of inconvenient facts.
Many years ago when I was a student the argument was that integrity isn't a big deal so plaintext telnet is just fine. If you're paranoid you use an "enhanced" telnet where the authentication step is protected but not everything else [Yes I'm an old man]
By the turn of the century everybody agreed telnet is stupid, use SSH but integrity still wasn't a big deal when it comes to ordinary web sites. Only your bank needs SSL fool.
And I suppose that 8-10 years ago that changed too and it's now recognised that plaintext HTTP really isn't good enough, you need HTTPS. But still I see that you say integrity isn't important when it comes to DNS records.
Integrity is the hardest thing to get ordinary users to care about. Given how freely even young kids lie we should probably take it more seriously but it remains hard to get ordinary people to care, however ultimately this does matter.
Sir, this is a Wendy's. We're talking about ECH. Can you maybe rephrase all this to be specifically about how DNS record integrity practically impacts the threat model for ECH? The threat actor for Encrypted Client Hello is ISPs.
This same thing happened with DNS cache corruption; which went unaddressed from the mid-1990s to 2008 despite the known fix of port/ID randomization because the DNS operator community was fixated on the "real" fix of... DNS record integrity.
> you just need to trust the resolver you're DoH'ing to
I don't trust the public DoH resolvers that much, actually, and neither do I trust my own ISP. I know for a fact that they mess with DNS records because of court orders, and I want to know when that happens.
DoH and DoT are not the modern DNSSEC alternatives we need. They naively assume that the DNS resolver always speaks the truth.
If browsers remember which domains do ECH and refuse to downgrade to non-ECH connections after, the way the HSTS cache forces browsers to connect over HTTPS despite direct attempts to load over HTTP, then you only need an entry in the browser database to make downgrade attacks to accomplish SNI-snooping impossible.
For HSTS, browsers come with a preloaded list of known-HTTPS domains that requests are matched against. That means they will never connect over HTTP, rather than connect over HTTP and upgrade+maintain a cache when the HSTS header is present. If ECH comes with a preload list, then browsers connecting to ECH domains will simply fail to connect rather than permit the network to downgrade their connection to non-ECH TLS.
I was quite happy and entlohntes when I dropped an HTML table Formates with Emojies into my prompt and told to turn it into a terraform module.
But how do you quality check this part? I am proofreading all these transformations and I am not sure if this is really faster than actually recording a VIM macro, which will do the steps I need.
Love it. Also using UTM with Amazon Linux 2023 x64 on an M1 works, so you can create a local HashiCorp Packer Pipeline using the Packer UTM plugin (similar to the QEMU Packer plugin)
From the Enterprise Perspektive at least for my use cases(fine grained permissions using extra id) , elasticsearch with kibana always had a solution available.
For grafana cloud and Loki you can close to a good usability with LBAC (label based access control) but you still need have many data sources to map onto each “team view” to make it user friendly.
What is missing for me is like in elastic a single datasource for all logs which every team member across all teams can see and you scope out the visibility level with LBAC
Love what they are doing. At least you get the chance to introduce Nix in the enterprise with the MacOS installer, having figured out private CAs and the MacOS keychain for example. Then MDM.
Found a config that seems much cleaner than my lua mess and at a glance it has the key tiling functions[1]. Check set-window-fraction function and its callsites.
Sure. Should be able to extract the relevant bits tomorrow.
I tried some tiling WMs on MacOS(Amethyst?), but they never truly felt like tiling WMs on Linux. I could never reliably switch focus where I wanted it to go. This is not to disparage those projects; my config works well enough and I may not had given them a proper chance.
My tiling is manual and closer to Windows snap feature mixed with Power Toys zones.
On Linux I often use mouse follows focus. I switch to a webbrowser and have a reasonable guess where the cursor is. IIRC that was a pain with Amethyst and my hammerspoon config. Have you set up something like this?
It's lua, so you can get creative with https://fennel-lang.org/