> ... For a Yubikey to act as a poor man's HSM you have to store the PIN in plaintext on the disk. ...
I haven't read the article fully yet, but it's not a bad idea to store the Root CA on the yubikey, and then generate a separate intermediate CA that is not stored on the yubikey. This way, all your day-to-day certs are issued using the intermediate and you only need to touch the root ca if you need to re-issue/revoke/etc the intermediate.
This is what I do as well. I use acme.sh on one linux server to generate a cert with a few SANs on it, then copy that cert to things like opnsense/truenas/etc either using ssh or their api if there is one.
Very cool, any chance of either open-sourcing it or allowing the browser part to be self-hosted? i.e. to act on websites hosted in a local lan/vpn?
Also, did you evaluate https://github.com/browser-use/browser-use by any chance and have any comments about it? I'm assuming it was too AI-heavy based on what you said about claude/etc?
Thanks John! We should make that more clear in the docs. You can set browser=None on initialization and Simplex will create a local browser instance that can run on your local websites. We're not planning to be open source right now since a large portion of our product is custom vision models + inference speedups through hosting.
Browser Use is another YC company. Probably the biggest difference is that they're more agent focused while we're more lower level -- in the Claude Computer Use camp like you mentioned.
Plaid/Yodlee/SimpleFIN etc are slowly getting better about not having to store credentials or do scraping. It depends more on the bank. A lot of banks don't support things like oauth, but a few do support giving 3rd party apps read-only access or at least have an oauth2 flow to approve access instead of giving them your user/password.
Agreed in general though, I don't like having to give a budgeting app potential access to transfer all of my money away (even if they promise they won't)
I think I have the opposite mindset. I prefer putting everything on credit cards because then I don't have to keep a receipt or remember exactly what I spent where if I go to multiple places in one day. Plus bills/online subscriptions/etc that aren't cash-friendly.
I'd like something like Privacy that creates temporary credit card numbers, but is also anonymous from the provider side. Sort of like buying a new visa gift card to use every month.
But I also like getting points to use while traveling
I've settled on Capitol One. They call them Virtual Cards. I have lots of temporary cards, mostly I use them for specific vendors (utilities, different SaSS subscriptions) so if some low security site gets hacked it won't work anywhere except with that vendor.
I'm not sure if that feature is only for specific cards they offer.
I know you haven't been using it for long, but are you (or your wife) liking this setup? I don't like having to pay for SimpleFIN, but I'm thinking about doing it too.
You can specify the interface address to listen on, like "127.0.0.1:8080:8080" or "192.168.1.100:8080:8080". I have a lot of containers exposed like this but bind specifically to a vpn ip on the host so that they don't get exposed externally by default.
The trouble is that docker seems to default to using 0.0.0.0, so if you do `docker run -it -p 8080 node:latest` for example, now that container accepts incoming connections on port :32768 or whatever docker happens to assign it, which is bananas default behavior.
I haven't read the article fully yet, but it's not a bad idea to store the Root CA on the yubikey, and then generate a separate intermediate CA that is not stored on the yubikey. This way, all your day-to-day certs are issued using the intermediate and you only need to touch the root ca if you need to re-issue/revoke/etc the intermediate.
reply