Felix Palmen :freebsd: :c64:<p>Released: <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>swad</span></a> v0.1 🥳 </p><p>Looking for a simple way to add <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> to your <a href="https://mastodon.bsd.cafe/tags/nginx" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>nginx</span></a> reverse proxy? Then swad *could* be for you!</p><p>swad is the "Simple Web Authentication Daemon", written in pure <a href="https://mastodon.bsd.cafe/tags/C" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>C</span></a> (+ <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>POSIX</span></a>) with almost no external dependencies. <a href="https://mastodon.bsd.cafe/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> support requires <a href="https://mastodon.bsd.cafe/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> (or <a href="https://mastodon.bsd.cafe/tags/LibreSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LibreSSL</span></a>). It's designed to work with nginx' "auth_request" module and offers authentication using a <a href="https://mastodon.bsd.cafe/tags/cookie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cookie</span></a> and a login form.</p><p>Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: <a href="https://mastodon.bsd.cafe/tags/PAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PAM</span></a>. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈</p><p>If you want to know more, read here:<br><a href="https://github.com/Zirias/swad" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Zirias/swad</span><span class="invisible"></span></a></p>
Recent searches
No recent searches
Search options
Not available on radikal.social.
radikal.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
radikal.social was created by a group of activists to offer federated social media for the radical left in and around Denmark.
Administered by:
Server stats:
165active users
radikal.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#authentication
2 posts · 2 participants · 0 posts today
Boiling Steam<p>Matrix.org Will Migrate to MAS: <a href="https://matrix.org/blog/2025/04/matrix-auth-service/" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">matrix.org/blog/2025/04/matrix</span><span class="invisible">-auth-service/</span></a> <br><a href="https://mastodon.cloud/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>linux</span></a> <a href="https://mastodon.cloud/tags/update" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>update</span></a> <a href="https://mastodon.cloud/tags/foss" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>foss</span></a> <a href="https://mastodon.cloud/tags/matrix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>matrix</span></a> <a href="https://mastodon.cloud/tags/mas" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mas</span></a> <a href="https://mastodon.cloud/tags/migration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>migration</span></a> <a href="https://mastodon.cloud/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://freeradical.zone/@mensrea" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>mensrea</span></a></span> : it is not the UI/UX that is the problem. It is missing reliable info in the certs.</p><p>Image from <a href="https://infosec.exchange/@ErikvanStraten/114224682101772569" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224682101772569</span></a></p><p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aral</span></a></span> <span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aral</span></a></span> :</p><p>I don't want to pay a cent. Neither donate, nor via taxes.</p><p><a href="https://infosec.exchange/@ErikvanStraten/114227977082449887" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114227977082449887</span></a></p><p><span class="h-card" translate="no"><a href="https://mstdn.social/@TheDutchChief" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>TheDutchChief</span></a></span> <span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>aral</span></a></span> : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.</p><p>They're the ultimate manifestation of evil big tech.</p><p>They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.</p><p>DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).</p><p>Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).</p><p>However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.</p><p>Decent online authentication is HARD. Get used to it instead of denying it.</p><p>REASONS/EXAMPLES</p><p>🔹 Troy Hunt fell in the DV trap: <a href="https://infosec.exchange/@ErikvanStraten/114222237036021070" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114222237036021070</span></a></p><p>🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: <a href="https://infosec.exchange/@ErikvanStraten/114224682101772569" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224682101772569</span></a></p><p>🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: <a href="https://infosec.exchange/@ErikvanStraten/114224264440704546" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224264440704546</span></a></p><p>🔹 Stop phishing proposal: <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a></p><p>🔹 Lots of reasons why LE sucks:<br><a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> (corrected link 09:20 UTC)</p><p>🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): <a href="https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">newly-registered-domains.abtdo</span><span class="invisible">main.com/2024-08-15-bond-newly-registered-domains-part-1/</span></a>. However, this gang is still active, open the RELATIONS tab in <a href="https://www.virustotal.com/gui/ip-address/13.248.197.209/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">13.248.197.209/relations</span></a>. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: <a href="https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/</span></a></p><p><span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>troyhunt</span></a></span> : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.</p><p>We also need better (readable) certificates identifying the responsible / accountable party for a website.</p><p>We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.</p><p>Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.</p><p>More info in <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a> (see also <a href="https://crt.sh/?Identity=mailchimp-sso.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crt.sh/?Identity=mailchimp-sso</span><span class="invisible">.com</span></a>).</p><p>Note: most people do not understand certificates, like <span class="h-card" translate="no"><a href="https://mastodon.social/@BjornW" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>BjornW</span></a></span> in <a href="https://mastodon.social/@BjornW/114064065891034415" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@BjornW/114064</span><span class="invisible">065891034415</span></a>:<br>❝<br><span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>letsencrypt</span></a></span> offers certificates to encrypt the traffic between a website & your browser.<br>❞<br>2x wrong.</p><p>A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.</p><p>However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.</p><p>Will you please help me get this topic seriously on the public agenda?</p><p>Edited 09:15 UTC to add: tap "Alt" in the images for details.</p><p><a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudflareIsEvil</span></a></p>
Grumpy Website<p>We noticed you were working. How about you do a meaningless chore for us instead?</p><p><a href="https://mastodon.online/tags/Slack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Slack</span></a> <a href="https://mastodon.online/tags/Login" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Login</span></a> <a href="https://mastodon.online/tags/Logout" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Logout</span></a> <a href="https://mastodon.online/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.online/tags/Popup" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Popup</span></a> <a href="https://mastodon.online/tags/Timeout" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Timeout</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://blahaj.zone/@Fiona" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Fiona</span></a></span> : if you send anyone a bitmap (*) that "proves" you are you, they'll have a bitmap to prove they are you.</p><p>(*) Digital image</p><p>In Dutch: <a href="https://www.security.nl/posting/827137/Kopie-ID%3A+kap+ermee%21" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/827137/Kop</span><span class="invisible">ie-ID%3A+kap+ermee%21</span></a></p><p><a href="https://infosec.exchange/tags/GLWT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GLWT</span></a> <a href="https://infosec.exchange/tags/TechSolutionism" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TechSolutionism</span></a> <a href="https://infosec.exchange/tags/TechSolutionisme" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TechSolutionisme</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a></p>
julian<p>2FA codes sent over ActivityPub when?</p>
Aral Balkan<p>New Kitten release</p><p>• Fixes redirection from sign-in page when person is already authenticated.</p><p><a href="https://kitten.small-web.org" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kitten.small-web.org</span><span class="invisible"></span></a></p><p>To learn more about how Kitten automatically implements authentication for your Small Web sites and apps using public-key cryptography (so even your own server doesn’t know your secret)¹, please see the Authentication tutorial:</p><p><a href="https://kitten.small-web.org/tutorials/authentication/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/tutorials</span><span class="invisible">/authentication/</span></a></p><p>Enjoy!</p><p>:kitten:💕</p><p>¹ The security (and privacy) of Domain/Kitten are based on a 32-byte cryptographically random secret string that only the person who owns/controls a domain knows.</p><p>This is basically a Base256-encoded ed25519 secret key where the Base256 alphabet is a set of curated emoji surrogate pairs without any special modifiers chosen mainly from the animals, plants, and food groups with some exceptions (to avoid common phobias or triggers, etc.) that we call KittenMoji.</p><p>…</p><p>When setting up a Small Web app via Domain, this key is generated in the person’s browser, on their own computer, and is never communicated to either the Domain instance or the Kitten app being installed. Instead the ed25519 public key is sent to both and signed token authentication is used when the server needs to verify the owner’s identity (e.g., before allowing access to the administration area).</p><p>The expected/encouraged behaviour is for the person to store this secret in their password manager of choice.</p><p>More: <a href="https://kitten.small-web.org/reference/#cryptographic-properties" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/reference</span><span class="invisible">/#cryptographic-properties</span></a></p><p><a href="https://mastodon.ar.al/tags/Kitten" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kitten</span></a> <a href="https://mastodon.ar.al/tags/SmallWeb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmallWeb</span></a> <a href="https://mastodon.ar.al/tags/SmallTech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmallTech</span></a> <a href="https://mastodon.ar.al/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.ar.al/tags/publicKeyCryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>publicKeyCryptography</span></a> <a href="https://mastodon.ar.al/tags/web" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>web</span></a> <a href="https://mastodon.ar.al/tags/dev" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dev</span></a> <a href="https://mastodon.ar.al/tags/NodeJS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NodeJS</span></a> <a href="https://mastodon.ar.al/tags/JavaScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.ar.al/tags/HTML" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTML</span></a> <a href="https://mastodon.ar.al/tags/CSS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSS</span></a></p>
Erik van Straten<p>Fsck de overheid: "Het automatiseren van certificaatbeheer door de overheid op basis van ACME zorgt voor het efficiënter en betrouwbaarder verkrijgen, vernieuwen en intrekken van TLS-certificaten. Dit maakt de digitale overheid betrouwbaarder, wendbaarder en minder leveranciersafhankelijk", aldus de experts. "Daarnaast vermindert het gebruik van ACME de beheerlast voor het beheer van TLS-certificaten."<br><a href="https://www.security.nl/posting/876900/ACME+voor+uitgifte+tls-certificaten+wordt+mogelijk+verplicht+voor+overheid" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/876900/ACM</span><span class="invisible">E+voor+uitgifte+tls-certificaten+wordt+mogelijk+verplicht+voor+overheid</span></a>.</p><p>In een tijd waarin burgers, online, met steeds hogere betrouwbaarheid moeten authenticeren (o.a. voor online leeftijdsverificatie en binnenkort met eID's zoals EDIW/EUDIW), en de anonieme nepwebsites als paddenstoelen uit de grond schieten (*), is dit een *KRANKZINNIG* plan.</p><p>(*) Daarbij geen strobreed in de weggelegd door BigTech - integendeel: medeplichtigheid aan cybercrime is hun verdienmodel geworden.</p><p>Het grote risico hier zijn AitM- (Attacker in the Middle) aanvallen: nietsvermoedende mensen worden via een bericht of een Google zoekresultaat naar een nepwebsite gestuurd, die hen vraagt om bijv. een scan van hun paspoort te uploaden en een selfie-filmpje te maken.</p><p>Beide stuurt de nepwebsite echter dóór naar een echte website, zoals van een bank, bijv. om een lening af te sluiten. De AitM neemt dat geld op, waarna het slachtoffer opdraait voor de schuld.</p><p>Een ESSENTIËLE voorwaarde voor betrouwbare authenticatie is dat je de VERIFIEERDER kunt vertrouwen.</p><p>Of dat zo is, weet je nooit zeker (ook offline niet). Het beste alternatief is dat je weet *WIE* de verifieerder is, en hoe betrouwbaar diens identiteit is vaatgesteld. Dat is, zonder meer, vervelend en prijzig voor eigenaren van websites waar klanten, burgers of patiënten risicovolle transacties doen en/of er vertrouwelijke gegevens mee uitwisselen - maar enorm in het belang van bezoekers van dergelijke websites.</p><p>Betrouwbare authenticatie van (de juridisch aansprakelijke) eigenaar van een website m.b.v. een website-certificaat vormt *technisch* geen enkel probleem (dit *hadden* we al, maar is met een smoes gesloopt door Google).</p><p>In gratis certificaten, bijvoorbeeld van Let's Encrypt (zoals gebruikt door de nepwebsites in onderstaand plaatje) staat uitsluitend een volstrekt anonieme domeinnaam; je hebt dus geen idee wie verantwoordelijk is voor de website.</p><p>Juist bij overheidswebsites is het essentieel dat je weet dat het écht om een overheidswebsite gaat - iets dat bij de in het plaatje getoonde domeinnamen (ik heb de punt door + vervangen), zoals:</p><p>• afhandelen-belasting+com<br>• aflossen-belastingdienst+com</p><p>beslist *niet* het geval is.</p><p>En in de echte <a href="https://www.ggn.nl/contact/phishing/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">ggn.nl/contact/phishing/</span><span class="invisible"></span></a> kunt u voorbeelden zien van domeinnamen van nepwebsites, zoals ook te zien in onderstaand plaatje.</p><p>Kennelijk lukt het niemand om dergelijke criminele websites uit de lucht te halen, terwijl de misdadigers er probleemloos Let's Encrypt certificaten voor *blijven* verkrijgen - naast dat de naar phishing stinkende domeinnamen zonder blikken of blozen worden verhuurd en nooit worden ingetrokken. Dit is simpelweg de SNELSTE en GOEDKOOPSTE oplossing voor eigenaren van websites; de *BEZOEKERS* van die websites draaien op voor alle risico's.</p><p>Het onderstaande plaatje is van een Russische server, maar dit soort phishing websites vind je ook bij de vleet op door criminelen gehuurde servers van Google, Amazon, Microsoft, Digital Ocean, Cloudflare en kleinere westerse hostingbedrijven.</p><p>Ben ik nou ÉCHT DE ÉNIGE die vindt dat deze gecriminaliseerde puinhoop keihard moet worden aangepakt?</p><p>Zie mijn uitgebreide reactie in <a href="https://security.nl/posting/876914" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/876914</span><span class="invisible"></span></a> (beginnend met eenvoudige uitleg wat een website-certificaat is).</p><p>Nb. naast certificaatuitgevers moeten ook browsers en het CA/B-forum op de schop. Doen we dit allemaal niet, dan wordt verder digitaliseren een gigantische puinhoop met steeds meer slachtoffers van identiteitsfraude.</p><p><a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/ACME" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ACME</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/NepSites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepSites</span></a> <a href="https://infosec.exchange/tags/NepWebSites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NepWebSites</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Scams" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Scams</span></a> <a href="https://infosec.exchange/tags/IdentiteitsFraude" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdentiteitsFraude</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebSites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeWebSites</span></a> <a href="https://infosec.exchange/tags/AnoniemeWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AnoniemeWebsites</span></a> <a href="https://infosec.exchange/tags/AnonymousWebsites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AnonymousWebsites</span></a> <a href="https://infosec.exchange/tags/OnlineAuthenticatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthenticatie</span></a> <a href="https://infosec.exchange/tags/LeeftijdVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LeeftijdVerificatie</span></a> <a href="https://infosec.exchange/tags/OnlineLeeftijdVerificatie" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineLeeftijdVerificatie</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/AgeVerification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AgeVerification</span></a> <a href="https://infosec.exchange/tags/OnlineAgeVerification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAgeVerification</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Evilginx2</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@_r_netsec" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>_r_netsec</span></a></span> : Alex Weinert (Identity Security VP at Microsoft) already knew about this in 2019.</p><p>His recommendation: just keep using Microsoft Authenticator...</p><p><a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicrosoftAuthenticator</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NumberMatching</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/AuthenticatorApps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AuthenticatorApps</span></a> <a href="https://infosec.exchange/tags/MissingDomainNameCheck" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MissingDomainNameCheck</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a></p>
Bill<p>A smart person looked at GitHub's auth and ouch.</p><p><a href="https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">flatt.tech/research/posts/clon</span><span class="invisible">e2leak-your-git-credentials-belong-to-us/</span></a></p><p><a href="https://infosec.exchange/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>github</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
LavX News<p>WebAuthn Without JavaScript: A Call for Simplicity in Authentication</p><p>As the digital landscape evolves, the need for secure yet user-friendly authentication methods is paramount. A recent proposal seeks to implement WebAuthn without the reliance on JavaScript, aiming to...</p><p><a href="https://news.lavx.hu/article/webauthn-without-javascript-a-call-for-simplicity-in-authentication" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.lavx.hu/article/webauthn-</span><span class="invisible">without-javascript-a-call-for-simplicity-in-authentication</span></a></p><p><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>news</span></a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tech</span></a> <a href="https://mastodon.cloud/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebAuthn</span></a> <a href="https://mastodon.cloud/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.cloud/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Privacy</span></a></p>
Bill<p>Remember to update your passwords to "Winter2025!" for the year change! If you want to be really sneaky and fool the hackers, misspell winter. That always fools them. <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
James Bradbury<p>"‘Yes, I am a human’: bot detection is no longer working – and just wait until AI agents come along"</p><p><a href="https://theconversation.com/yes-i-am-a-human-bot-detection-is-no-longer-working-and-just-wait-until-ai-agents-come-along-246427" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">theconversation.com/yes-i-am-a</span><span class="invisible">-human-bot-detection-is-no-longer-working-and-just-wait-until-ai-agents-come-along-246427</span></a></p><p><a href="https://mastodon.social/tags/ai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ai</span></a> <a href="https://mastodon.social/tags/bots" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bots</span></a> <a href="https://mastodon.social/tags/captcha" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>captcha</span></a> <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a></p>
xoron :verified:<p><a href="https://positive-intentions.com/blog/introducing-decentralized-chat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">positive-intentions.com/blog/i</span><span class="invisible">ntroducing-decentralized-chat</span></a></p><p>id like to share some details about how my app works so you can discover/give me feedback on my app. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify.</p><p>im not an expert on <a href="https://infosec.exchange/tags/cyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cyberSecurity</span></a>. im sure there are many gaps in my knowlege in this domain.</p><p>using <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>javascript</span></a>, i initially created a fairly basic <a href="https://infosec.exchange/tags/chatApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>chatApp</span></a> using using <a href="https://infosec.exchange/tags/peerjs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>peerjs</span></a> to create <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encrypted</span></a> <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a> <a href="https://infosec.exchange/tags/connections" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>connections</span></a>. this was then easily enhanced by exchanging additional <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encryption</span></a> <a href="https://infosec.exchange/tags/keys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>keys</span></a> from <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> functions built into browsers (<a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webcrypto</span></a> api) to add a redundent layer of encryption. a <a href="https://infosec.exchange/tags/diffieHelman" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>diffieHelman</span></a> key <a href="https://infosec.exchange/tags/exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>exchange</span></a> is done over <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a> (which can be considered <a href="https://infosec.exchange/tags/secure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>secure</span></a> when exchanged over public channels) to create <a href="https://infosec.exchange/tags/serverless" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>serverless</span></a> <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>authentication</span></a>.</p><p>- i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have <a href="https://infosec.exchange/tags/openedSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>openedSource</span></a> my <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> module. its basically a thin wrapper around vanilla cryptography functions of a <a href="https://infosec.exchange/tags/browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>browser</span></a> (webcrypto api).</p><p>- another concern for my kind of app (<a href="https://infosec.exchange/tags/PWA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PWA</span></a>) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a>. selhosting this app has some unique features. unlike many other <a href="https://infosec.exchange/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosted</span></a> <a href="https://infosec.exchange/tags/projects" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>projects</span></a>, this app can be hosted on <a href="https://infosec.exchange/tags/githubPages" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>githubPages</span></a> (instructions are provided in the readme). im also working towards having better support for running the index.html directly without a static server.</p><p>- to prevent things like browser extensions, the app uses strict <a href="https://infosec.exchange/tags/CSP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CSP</span></a> headers to prevent <a href="https://infosec.exchange/tags/unauthorised" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unauthorised</span></a> code from running. <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a> users should take note of this when setting up their own instance.</p><p>- i received feedback the <a href="https://infosec.exchange/tags/Signal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Signal</span></a>/#Simplex protocol is great. completely undertsandable and agree, but wonder if im reducing the <a href="https://infosec.exchange/tags/complexity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>complexity</span></a> by working with <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webrtc</span></a>. while it has its many flaws, i think risks can be reasonable mitigated if the <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptography</span></a> functions are implemented correctly. (all data out is <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encrypted</span></a> and all data in is <a href="https://infosec.exchange/tags/decrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>decrypted</span></a> on-the-fly)</p><p>- the key detail that makes this approach unique, is because as a <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>webapp</span></a>, unlike other solutions, users have a choice of using any <a href="https://infosec.exchange/tags/device" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>device</span></a>/#os/#browser. while a webapp can have nuanced <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerabilities</span></a>, i think by <a href="https://infosec.exchange/tags/openSourcing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>openSourcing</span></a> and providing instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfhosting</span></a> and instructions to <a href="https://infosec.exchange/tags/build" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>build</span></a> for various <a href="https://infosec.exchange/tags/platforms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>platforms</span></a>, it can provide a reasonable level of <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a>.</p><p>i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the <a href="https://infosec.exchange/tags/frontend" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>frontend</span></a> and the peerjs-server to be <a href="https://infosec.exchange/tags/hosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hosted</span></a> <a href="https://infosec.exchange/tags/independently" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>independently</span></a>, im on track for creating a <a href="https://infosec.exchange/tags/chatSystem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>chatSystem</span></a> with the "fewest moving parts". i hope you will agree this is true <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> and i hope i can use this as a step towards true <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privacy</span></a> and <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a>. <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> might be further improved by using a trusted <a href="https://infosec.exchange/tags/VPN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VPN</span></a>.</p><p>while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find <a href="https://infosec.exchange/tags/bestPractices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bestPractices</span></a> for the functionalities i want to achieve. in particular <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> practices to use when using <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>p2p</span></a> technology.</p><p>(note: this app is an <a href="https://infosec.exchange/tags/unstable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unstable</span></a>, <a href="https://infosec.exchange/tags/experiment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>experiment</span></a>, <a href="https://infosec.exchange/tags/proofOfConcept" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>proofOfConcept</span></a> and not ready to replace any other app or service. It's far from finished and provided for <a href="https://infosec.exchange/tags/testing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>testing</span></a> and <a href="https://infosec.exchange/tags/demo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>demo</span></a> purposes only. This post is to get <a href="https://infosec.exchange/tags/feedback" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>feedback</span></a> on the progress to determine if i'm going in the right direction for a secure chat app)</p>
Erik van Straten<p>Kirat Assi (<a href="https://www.bbc.com/news/articles/c20m3g1kdpvo?utm_source=press.coop" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bbc.com/news/articles/c20m3g1k</span><span class="invisible">dpvo?utm_source=press.coop</span></a>) is a perfectly normal human being; trust, honesty and authenticity are essential building blocks of our societies.</p><p>Unfortunately, online communication and the increasing use of AI make impersonation easier every day.</p><p>We can and should do more to create awareness about this (e.g. you're not impolite by demanding reliable proof of authenticity, online in particular), and more importantly, find ways to better conquer impersonation.</p><p><span class="h-card" translate="no"><a href="https://press.coop/@BBCNews" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>BBCNews</span></a></span> </p><p><a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/AbuseOfTrust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AbuseOfTrust</span></a></p>
Flipboard Tech Desk<p>Are passwords on the way out? Researchers are announcing two projects that will make passkeys easier for organizations to offer — and easier for everyone to use. Read more at <span class="h-card" translate="no"><a href="https://flipboard.com/@WIRED" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>WIRED</span></a></span>. <a href="https://flipboard.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passwords</span></a> <a href="https://flipboard.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://flipboard.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://flipboard.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://flipboard.social/tags/Tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tech</span></a> <a href="https://flipboard.social/tags/Technology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Technology</span></a> <a href="https://flip.it/l-yryY" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">flip.it/l-yryY</span><span class="invisible"></span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://eupolicy.social/@edri" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>edri</span></a></span> : apart from the privacy risks you describe, the internet is way to insecure for citizens to strongly authenticate online.</p><p>The reason is that internet users have no reliable means to distinguish between fake and authentic websites [1].</p><p>This makes AitM (Attacker in the Middle) attacks easy: the citizen is made to believe that they have to prove their minimum age (and probably more PII) on fake website F.</p><p>When they do that, software on F will forward their identity proofs to real website R and obtain a grant to access R.</p><p>If that grant is a webbased cookie or anything else that can be copied, it will be sold to children and people who want to remain anonymous - while using someone else's identity.</p><p>BTW, the same will happen to users of EDIW/EUDIW [2]. Credit cards and loans will carry their name while they won't receive even a Eurocent themselves, but likely they will have to pay "back".</p><p>From [0]: «Authentication mandates a trustworthy verifier. The first step to find out whether a verifier is trustworthy, is to know *who exactly* they are. A domain name simply does not suffice.»</p><p>[2] <a href="https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/Security+and+privacy" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">ec.europa.eu/digital-building-</span><span class="invisible">blocks/sites/display/EUDIGITALIDENTITYWALLET/Security+and+privacy</span></a><br>[1] <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a><br>[0] <a href="https://infosec.exchange/@ErikvanStraten/113138678307912960" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113138678307912960</span></a></p><p><span class="h-card" translate="no"><a href="https://respublicae.eu/@EU_Commission" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>EU_Commission</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Verifier" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Verifier</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload