Federated Fandom

0 posts0 participants0 posts today

Christian🚨 Fixing the PKI Mess: CAA + Your Own CA via DNS 🚨 Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken. 🔐 What if we could fix this using DNS? <a href="https://social.uggs.io/tags/Introducing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Introducing</a> CAA+CA Fingerprint: Self-Sovereign Certificate Authority Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key. 🔥 How It Works You run your own CA (because why trust the cartel?). You then publish: 1️⃣ A CAA record specifying your own CA (with a fingerprint! 🔥) 2️⃣ A DNS record with your CA’s public key (like DKIM but for TLS!) 🔹 Example DNS Setup for `awesomecars.com`: ``` awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..." pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....) ``` Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking! 🚀 Why Is This Better Than the Current CA Model? ✅ Self-Sovereign Identity: If you own the domain, you should own its PKI. ✅ Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain. ✅ Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing. ✅ No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store. ✅ Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model. 🔥 Why Isn’t This a Thing Already? Big Tech hates this idea because it removes their control: ❌ Google wants Certificate Transparency (CT), where they control which certs are logged. ❌ Commercial CAs make $$$ selling certs. This kills their business. ❌ DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed. Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI. 🔗 Who Needs to Implement This? 🚀 Self-hosters & Homelabs: Use this for your own infrastructure. 🚀 Email providers: Stop relying on public CAs! 🚀 Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative. 🚀 Fediverse devs: Let’s push for DNS-based CA validation! What do you think? Would you trust your own CA in DNS over some random commercial CA? 🔁 Boost this if you want a decentralized PKI revolution! 🔥 This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust. <a href="https://social.uggs.io/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://social.uggs.io/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Security</a> <a href="https://social.uggs.io/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNSSEC</a> <a href="https://social.uggs.io/tags/DANE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DANE</a> <a href="https://social.uggs.io/tags/TLSA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TLSA</a> <a href="https://social.uggs.io/tags/CAA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CAA</a> <a href="https://social.uggs.io/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SelfHosting</a> <a href="https://social.uggs.io/tags/Fediverse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fediverse</a> <a href="https://social.uggs.io/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Privacy</a> <a href="https://social.uggs.io/tags/Decentralization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Decentralization</a> <a href="https://social.uggs.io/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://social.uggs.io/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a>

Karl Voit :emacs: :orgmode:<a href="https://graz.social/tags/Irreal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Irreal</a>: Digital Vs. <a href="https://graz.social/tags/Analog" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Analog</a> <a href="https://graz.social/tags/Notes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Notes</a> <a href="https://irreal.org/blog/?p=12588" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://irreal.org/blog/?p=12588</a><a href="https://graz.social/tags/PIM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PIM</a> <a href="https://graz.social/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://graz.social/tags/orgmode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#orgmode</a> <a href="https://graz.social/tags/notetaking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#notetaking</a> <a href="https://graz.social/tags/fountainpen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#fountainpen</a> <a href="https://graz.social/tags/pen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pen</a> <a href="https://graz.social/tags/paper" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#paper</a>

Erik van Straten🟡 INTRODUCTION/BACKGROUND It has become *way too easy* and cheap, to anonymously (or lying about identity) register a domain name, hire or hack a server and obtain a valid DV (Domain Validated) server certificate.Furthermore, possibly *stimulated* by the fact that most servers now use DV-certificates, (web) browsers have made it increasingly hard for internet users to view certificate details, without providing any alternatives for those users to distinguish between misleading fake and real (authentic) setvers.A steadily increasing number of internet servers is now *anonymous* (it has been *deliberately* made impossible to reliably find out who is responsible), which has lead, and still leads, to huge amounts of unneccesary victims of phishing.This causes enormous financial losses to individuals, companies, governmental and healthcare organizations - while most of that money flows into the pockets of criminals who often operate from regimes that are our enemies. Thereby, indirectly or directly, enriching those regimes (the rest of the stolen money flows into the pockets of hosting-, cloud- and CDN providers, as well as DNS registrars and domain name parking services).Note: a server certificate never directly warants reliability of the owner of a domain name. However, in order to distinguish between fake and real servers or websites, it is essential that users know who is *responsible* and in which country they are established or live. Eventually, if neccessary, to be able to sue them.🟡 From <a href="https://www.theregister.com/2024/09/03/white_house_bgp_security/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.theregister.com/2024/09/03/white_house_bgp_security/</a>: « White House thinks it's time to fix the insecure glue of the internet: Yup, BGP 3 Sep 2024, 22:34 utc - Thomas Claburn [...] "As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report (<a href="https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf</a>) [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years." »🟡 IMO, to not *first* fix WebPKI is plain *stupid* because:➡️ If the *combination* of: 🔸 A *decent* WebPKI {1}, *and* 🔸 Improved browsers {2}, *and* 🔸 User education {3}, *enables* internet users to reliably distinguish between fake and real (authentic) servers, then the necessity for RPKI decreases enormously {4};➡️ Apart from the fact that RPKI is fully hidden for internet users (they *neither* know whether it's used for their current IP-connections, and if that happens to be the case, *nor* how reliable the authentication of the parties involved took place), RPKI does *not* solve a much bigger problem: DNS-hijacks.➡️ A decent WebPKI effectively mitigates the following vulnerabilities (in the order of most to least occuring): 🔸 People not knowing who is responsible for a given (often misleading) domain name; 🔸 DNS hijacks/attacks; 🔸 BGP hijacks; 🔸 AitM's {5} "near" the real server who unrightfully obtain DV-certificates.Edited to add 2024-09-05 21:59 { WebAuthn (as used by FIDO2 hardware keys and by passkeys) *ONLY* protects against the first vulnerability (in people who don't know that a given domain name does not belong to the apparent owner, but instead to an impostor). WebAuthn's phishing-resistance ceases to exist if a fake website obtains any type of certificate. However, while it's extermely easy for an attacker to obtain a DV-certificate, more trustworthy certificates should make that *a lot* harder. }🟡 {1} WHAT IS A DECENT WEBPKI A *decent* WebPKI means that:1️⃣ We must get rid of the current (effectively Google owned) CA/B forum, simply because server certificates exist primarily in the interest of *internet users* (not even represented in the CA/B forum) instead of it's current members: *commercial* cloud providers, browser makers, CA's (Certificate Authorities) and/or CSP's (Certificate Service Providers).2️⃣ The world needs a new, independent, organization that supervises requirements of certificates, CA's and CSP's, as well as all requirements for (web) browsers related to certificates. For easy referencing I'll call it the WPKIF (Web Public Key Infrastructure Forum) in this toot. It is essential that internet users are strongly represented in the WPKIF. The WPKIF must be repeatedly audited by independent auditors (based on clear predefined requirements and/or controls).3️⃣ Each *critical* server {6} *must* use a server certificate that, more or less reliably, uniquely defines the person, people or organization responsible for the server(s) (and content, security etc.) referenced by the server's domain name(s) included in the certificate.4️⃣ The layout of server certificates needs an update to better serve internet users. Most of those users are *not* interested in technical details such as long serial numbers or hexadecimal public key values (such data must remain accessible for experienced users). So some sort of split between technical and *human readable" (not "CN=") information must be made.5️⃣ Each server certificate must also contain a standardized indicator that reveals the *minimum* reliability of the authentication of the person, people or organization responsible for all domain names, and all servers referenced by all domain names (included in the certificate). In short: how certain is it that the owner of a website is who they claim to be.6️⃣ Each server certificate must also contain a reference to a WPKIF website with a standardized indicator that reveals the *reliability* of the least reliable link in the chain starting at the applicable CA and ending with the CSP (including both ends plus intermediate certificates and their owners). In short: how reliable is the information in the certificate, as determined by the WPKIF.7️⃣ The WPKIF must immediately and objectively take action against any CA, intermediate or CSP that violates the rules and requirements as defined by the WPKIF. Such by decreasing their reliability rating upto canceling their right to issue certificates.🟡 {2} Web browsers (and perhaps other clients) must make it a lot easier for users to determine who is responsible for a server or website. IMO, at the very least when an internet user visits a website with a specific domain name *for the first time* (using that browser), *OR* when the server sends a new certificate, the browser should first show full details of the owner of the domain name *before* fetching any content - and let the user decide whether they want to continue and open the website. (Note: I've not given it enough thought how to handle third party websites - where CSS, JavaScript, images and/or analytics stuff is downloaded from).🟡 {3} Internet users need to be educated about the importance of knowing who owns a domain name (and thus server and/or website). Browsers must play a role by offering tutorials. Current "awareness trainings" are simply insufficient (as notably Google found out, see <a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html</a> - more info, in Dutch: <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045136092456532</a>).🟡 {4} RPKI vs WebPKI Increasingly cybercriminals succeed into hijacking cryptocurrency websites, and they may do so by hijacking BGP and subsequently acquiring a DV certificate for their fake server (examples can be found here: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914050216821746</a>). However, BGP hijack attacks are not easy to accomplish and often detected soon. In particular it will be hard for the attackers to obtain *trustworthy* server certificates. 🟡 {5} AitM = Attacker in the Middle. A server in a hosting center may be AitM'ed in the same center without touching the actual server itself and without requiring DNS- or BGP hijacks (because the AitM and the real server are both comnected to an internal network), as for example happened to "jabber.ru" in a German hosting center (see <a href="https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate</a>, full details in <a href="https://notes.valdikss.org.ru/jabber.ru-mitm/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://notes.valdikss.org.ru/jabber.ru-mitm/</a>).🟡 {6} A critical server is one whose *authenticity* and/or *indistinguishability from fake sites* are important upto (thtough) essential for internet users. I don't care if a home NAS uses a DV-cert, but banks, goverments (in particular those that do *not* use a specific domain name ending, such as .gov), insurances, websites showing and/or receiving medical/patient data etc. - any server related to PII or needs to otherwise prove their identity.🟡 MORE INFORMATION 🔸 Let's Encrypt certificates mis-issuances & ocsp ending: <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914047006977222</a>🔸 Untrustworthy HSTS and lack of "https only" in many browsers: <a href="https://infosec.exchange/@ErikvanStraten/113045241408077702" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045241408077702</a>🔸 Why awareness trainings fail (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113045136092456532</a>🔸 Why the physical location of an offline service provider (like a bank office or a town hall) is a hugely underestimated authentication factor (in Dutch): <a href="https://security.nl/posting/855557" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://security.nl/posting/855557</a>🔸 Why Google lied when they killed EV certs, and why it's insane to introduce digital identity wallets (eID's) for strong online authentication of people on the current, highly crminalized, internet, with more anonymous servers every day (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113031344934186250</a>🔸 How Google became evil by facilitating cybercrime, renting them hosting services for domain names such as NNoutlook.com, NNNNoutlook.com and ecbeuropa[.]eu, even providing them with server certificates for free: <a href="https://www.virustotal.com/gui/ip-address/35.241.18.84/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.virustotal.com/gui/ip-address/35.241.18.84/relations</a>Internet reliability needs to be restored, and further improved upon, ASAP.<a href="https://infosec.exchange/tags/RPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RPKI</a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebPKI</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/BGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BGP</a> <a href="https://infosec.exchange/tags/BGPHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BGPHijack</a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNS</a> <a href="https://infosec.exchange/tags/DNSHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNSHijack</a> <a href="https://infosec.exchange/tags/Websites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Websites</a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Real</a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fake</a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentic</a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authenticity</a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Impostors</a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CABForum</a> <a href="https://infosec.exchange/tags/Commercialization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Commercialization</a> <a href="https://infosec.exchange/tags/Independant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Independant</a> <a href="https://infosec.exchange/tags/UserRepresentatives" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UserRepresentatives</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QWAC</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eIDAS</a> <a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebAuthn</a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FIDO2</a> <a href="https://infosec.exchange/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yubikey</a> <a href="https://infosec.exchange/tags/Yubico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Yubico</a> <a href="https://infosec.exchange/tags/Titan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Titan</a> <a href="https://infosec.exchange/tags/GoogleTitan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GoogleTitan</a> <a href="https://infosec.exchange/tags/Feitian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Feitian</a>

John KristoffWeekend Reads* Where DNSSEC went wrong <a href="https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/</a> * Rogers 2022 outage report <a href="https://crtc.gc.ca/eng/publications/reports/xona2024.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://crtc.gc.ca/eng/publications/reports/xona2024.htm</a> * Rise of packet rate attacks <a href="https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blog.ovhcloud.com/the-rise-of-packet-rate-attacks-when-core-routers-turn-evil/</a> * CAA/CT/DANE measurement study <a href="https://arxiv.org/abs/2407.02287" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://arxiv.org/abs/2407.02287</a> * Domain name market 2023 report <a href="https://www.afnic.fr/wp-media/uploads/2024/07/study-afnic-the-global-domain-name-market-in-2023.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.afnic.fr/wp-media/uploads/2024/07/study-afnic-the-global-domain-name-market-in-2023.pdf</a><a href="https://infosec.exchange/tags/DNSSEC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNSSEC</a> <a href="https://infosec.exchange/tags/Rogers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Rogers</a> <a href="https://infosec.exchange/tags/DDoS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DDoS</a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DNS</a>

Daniel Carkner🥀For <a href="https://historians.social/tags/Indonesians" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Indonesians</a>, by the way my former thesis supervisor John Roosa's 2022 book Buried Histories: The Anticommunist Massacres of 1965-1966 in Indonesia has just been released in Indonesian translation by Marjin Kiri, translated by Hendarto Setiadi: <a href="https://marjinkiri.com/product/riwayat/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://marjinkiri.com/product/riwayat/</a>(originally published in English by University of Wisconsin Press: <a href="https://uwpress.wisc.edu/books/5717.htm" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://uwpress.wisc.edu/books/5717.htm</a> ) <a href="https://historians.social/tags/HistoryBooks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HistoryBooks</a> <a href="https://historians.social/tags/Sejarah" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Sejarah</a> <a href="https://historians.social/tags/IndonesianHistory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IndonesianHistory</a> <a href="https://historians.social/tags/NewOrder" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NewOrder</a> <a href="https://historians.social/tags/OrdeBaru" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OrdeBaru</a> <a href="https://historians.social/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PKI</a> <a href="https://historians.social/tags/CommunistHistory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CommunistHistory</a> <a href="https://historians.social/tags/HumanRights" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HumanRights</a>

Recent searches

Search options

Administered by:

Server stats:

#PKI