Recent searches

No recent searches

Search options

Only available when logged in.
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

211
active users

toad.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#authentication

4 posts4 participants0 posts today
🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸

> #Google informed me that I already had a #passkey on my device. If that's the case, why didn't it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had #passkeys on my Pixel 9 Pro and request #authentication with either a fingerprint or face scan. It didn't. No passkey was recognized… even though it's there.

> It's a recursive nightmare from which I can't seem to escape.

zdnet.com/article/passkeys-won

ZDNET · Passkeys won't be ready for primetime until Google and other companies fix thisBy Jack Wallen
#security
Replied in thread
*
Erik van Straten

@tbortels : even if we disagree, thank you for a fair discussion.

You wrote:
❝Asking any third party to ensure "trust" is doomed from the start. In the history of humanity no govermnment or organization whatsoever has managed to eliminate fraud, and none ever will.❞

You are right, not for 100%. That will never be achieved; what I think is seriously needed is risk *reduction*.

By typing the toot you sent to me, you had to trust the manufacturers of hardware and software you used. You'll have to trust your bank for prudently guarding your savings. Trust is a very basic requirement in our lives, even if we are to be very disappointed now and then.

We have chambers of commerce for a reason (in my country: kvk.nl/en/).

Among other things, I wrote a section
{1} WHAT IS A DECENT WEBPKI
in my (long) proposal infosec.exchange/@ErikvanStrat (the current CA/B forum is pointless: it's big tech for big tech, zero consumer orgs are involved).

To decrease the (enormous) impact of cybercrime, IMO we can and should provide users with as much information about a website as possible, in particular when it is the first time they visit it (or if ownership may have changed).

❝The reality is this: people need to learn basic defensive cynicism.❞

That is simpy impossible. Even I sometimes find it hard to determine whether a website is authentic (and like you, I have a lot of infosec experience - that dates back to around the time that "internet" became accessible to universities).

The web is being FLOODED with criminal websites (example: see the image below) while no big tech org cares - on the contrary, they're making money by condoning it. Guess why Google introduced zillions of stupid TLD's. There are way too many people who will not and cannot become forensic researchers.

❝The internet is just another place where doing dumb things gets you hurt, and it can't be made safe without destroying it.❞

I disagree. Like I wrote in infosec.exchange/@ErikvanStrat:
"I am not against (free) Domain Validated certificates. They're fine if visitors do exactly know the domain name in advance, such as of your home NAS (and are not easily fooled by IDN's)."

❝Security and Trust are two different unrelated things. And people need to understand it.❞

Agreed, but we can still help them *a lot* making better decisions whom to trust. Again, I mean trust based on reputation and the ability to "see them in court" if you know who you're dealing with - in cases where that matters.

@UndisScot

#FakeWebsites#Phishing#BigTechIsEvil
Continued thread
Serge from Babka

Another approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.

Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.

I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.

I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.

2/2

#Authentication#Authorization#InfoSec
*
Serge from Babka

I've been thinking about delegated authority on websites lately.

It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.

Some organizations make this easy, allowing me to have multiple accounts.

Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.

I've been thinking about ways around this.

One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.

This would be very complicated to implement though.

1/

#Authentication#Authorization#InfoSec
*
Strypey

The UX of 2FA could be improved considerably, and security along with it, by using a circles of trust model.

Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.

But ...

(1/2)

#2FA#authentication
PrivacyDigest

Critical #CitrixBleed 2 #vulnerability has been under active #exploit for weeks

A critical vulnerability allowing #hackers to bypass #multifactor #authentication in network management devices made by #Citrix has been actively #exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild #exploitation.
#security #privacy

arstechnica.com/security/2025/

Ars Technica · Critical CitrixBleed 2 vulnerability has been under active exploit for weeksBy Dan Goodin
Replied in thread
*
Erik van Straten

@relishthecracker : that's make belief.

"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.

Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.

Therefore:

1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;

2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;

3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:

• A malicious third party website manages to obtain a fraudulently issued certificate (examples: infosec.exchange/@ErikvanStrat);

• An attacker obtains unauthorised write access to the website's DNS record;

• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see github.com/w3ctag/design-revie);

4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).

Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.

Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.

However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.

@oliversampson @kaye

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#Passkeys#PasswordManagers#DomainNames
Joseph Lim :mastodon:

#LetterOfTheWeek
Make #online process for #CPF #nominations more user-friendly
"After multiple failed attempts.. As a #senior w #mobilityissues, I hv yet to complete an online nomination successfully. #Facial #authentication shld be more adaptable to #realworld conditions. Basic form data shld be saved as draft to avoid te need to re-enter everything in case of errors. #Singapore’s push twds #digitalisation is commendable but experiences like tis risk leaving some behind"
straitstimes.com/opinion/forum

The Straits Times · Forum: Make online process for CPF nominations more user-friendly Read more at straitstimes.com. Read more at straitstimes.com.
Replied in thread
Erik van Straten

@aral wrote: "If your friends and family are trying to phish you, you have bigger problems."

Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.

The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.

As if phishing is not already the nr. 1 problem on the internet.

Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read infosec.exchange/@ErikvanStrat ?)

@letsencrypt

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Content warning: (long) Wrong order: RPKI first - WebPKI never?
#Phishing#LetsEncrypt#DNS
Felix Palmen :freebsd: :c64:

Just released: #swad 0.12 🥂

swad is the "Simple Web Authentication Daemon". It basically offers adding form + #cookie #authentication to your reverse proxy (designed for and tested with #nginx "auth_request"). I created it mainly to defend against #malicious_bots, so among other credential checker modules for "real" logins, it offers a proof-of-work mechanism for guest logins doing the same #crypto #challenge known from #Anubis.

swad is written in pure #C with minimal dependencies (#zlib, #OpenSSL or compatible, and optionally #PAM), and designed to work on any #POSIX system. It compiles to a small binary (200 - 300 kiB depending on compiler and target platform).

This release brings (among a few bugfixes) improvements to make swad fit for "heavy load" scenarios: There's a new option to balance the load across multiple service worker threads, so all cores can be fully utilized if necessary, and it now keeps lots of transient objects in pools for reuse, which helps to avoid memory fragmentation and ultimately results in lower overall memory consumption.

Read more about it, download the .tar.xz, build and install it .... here:

github.com/Zirias/swad

GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
TrendingLive feeds
About