I just discovered something really subtle about WireGuard... TL;DR if you are adjusting interface MTUs precisely, and you have mismatched MTUs between peers in some cases, make sure your smallest MTU is always a multiple of 16!

WireGuard header overhead is said to be 32 bytes + UDP + IP, so 80 bytes for IPv6 and 60 bytes for IPv4. That's where you get the default MTU of 1420 (1500 - 80, so it works with IPv6).

But that's not precisely true! Actually, WireGuard will add up to 15 bytes of padding to the data, to make it a multiple of 16, as long as it doesn't exceed the MTU on that side of the connection.

So let's say you have a server with the MTU set at 1440, but you also have a client that is using IPv4 over PPPoE. So you set its MTU to 1432, subtracting the PPPoE overhead of 8 bytes. That should be fine, since the client will figure out the right path MTU for any connections, right?

Wrong!

The TCP client and server will negotiate an MSS that gives 1432 byte IP packets within the tunnel. But 1432 is not a multiple of 16! However, the client WireGuard instance knows that there is no headroom, so it will send 1432 + 60 = 1492 byte packets, which is the maximum PPPoE MTU. But on the way back, the server thinks it can go up to 1440! 1432 % 16 == 8, so it will try to round up to 1440. Then, it sends 1500 byte packets, which don't fit in PPPoE!

The fix is to either set both the client and server MTU to 1432, or to round down the client MTU to 1424.

Breaking news for the crab people 🚨

🦀 Ring, a widely used Rust cryptography library, is now unmaintained.

🔐 Security advisory: https://rustsec.org/advisories/RUSTSEC-2025-0007

➡️ Details: https://github.com/briansmith/ring/discussions/2414

#rustlang #opensource #library #security #cryptography

Important US cryptography publications like FIPS 203 are going offline, even if only temporarily.

Can we thank Trump and Musk for making the US look like a joke?

#uspol

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/CX2ZpDDe2fM/m/ktZFvOL8AQAJ

In addition to the UK demanding access to encrypted files on iCloud, they want to be able to access these files in every country they might be stored in. Where do they get off demanding that kind of jurisdiction?

> "Apple is likely to stop offering encrypted storage in the U.K., the people said. Yet that concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States."

https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/

Not only does https://whatismyip.com/ take longer to fucking type, but it literally makes *thousands* of requests to trackers and shit!

Why do people use this shit?