Veganism Social

Erik van Straten<a href="https://infosec.exchange/@relishthecracker" class="u-url mention" rel="nofollow noopener" target="_blank">@relishthecracker</a> : that's make belief."Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.Therefore:1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:• A malicious third party website manages to obtain a fraudulently issued certificate (examples: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914050216821746</a>);• An attacker obtains unauthorised write access to the website's DNS record;• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see <a href="https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580" rel="nofollow noopener" translate="no" target="_blank">https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580</a>);4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.<a href="https://sigmoid.social/@oliversampson" class="u-url mention" rel="nofollow noopener" target="_blank">@oliversampson</a> <a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@kaye</a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManagers</a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#DomainNames</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptography</a> <a href="https://infosec.exchange/tags/MilitaryGrade" class="mention hashtag" rel="nofollow noopener" target="_blank">#MilitaryGrade</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeWebsites</a> <a href="https://infosec.exchange/tags/ATO" class="mention hashtag" rel="nofollow noopener" target="_blank">#ATO</a> <a href="https://infosec.exchange/tags/AccountTakeOver" class="mention hashtag" rel="nofollow noopener" target="_blank">#AccountTakeOver</a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://infosec.exchange/tags/SharedSecrets" class="mention hashtag" rel="nofollow noopener" target="_blank">#SharedSecrets</a> <a href="https://infosec.exchange/tags/AsymmetricCryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsymmetricCryptography</a> <a href="https://infosec.exchange/tags/SubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#SubDomains</a> <a href="https://infosec.exchange/tags/DanglingSubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#DanglingSubDomains</a>

Erik van Straten<a href="https://sigmoid.social/@oliversampson" class="u-url mention" rel="nofollow noopener" target="_blank">@oliversampson</a> <a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@kaye</a> Primary passkeys advantage: • With some uncommon exceptions, you cannot (be persuaded to) log in to a phishing website with a (slightly) different domain name *USING A PASSKEY* (see below) - because software (not you) checks the domain name.Some passkeys disadvantages: • Typically you yourself do not have access to each passkey's private key (*)(usually you can't back them up/export them). Risks: vendor lock-in and losing access to accounts.• Because there's a risk of losing access to passkeys and thus to accounts, usually accounts can also be accessed using a rescue code - which renders them phishable again.• Implementation errors (both Apple and Android suffered from them, and probably still do - I did not check today).(*) For each new passkey, your device generates a unique complementary keypair. The public key is stored in your account on the server and is used to verify that your device has access to the complementary private key, which is kept secret. However, even if attackers do not have access to your private key(s), there are other ways for them to obtain access your account(s).A reasonable alternative to passkeys is using a password manager that "integrates" with the browser to verify the domain name of the site you're logging in to. Android and iOS "Autofill" provide such a bridge between password managers and browsers (without requiring browser plug-ins).<a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManagers</a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#DomainNames</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a>

Ugh! What a Day!We're looking at options for password managers, can anyone recommend one that is good for security and privacy please?We've been using KeePass for years and are a little allergic to cloud solutions but would be really interested to hear if there's one that we can confidently recommend to clients.Anything from Google and Apple have already been ruled out!For cloud based solutions, the servers must be either in the UK or EU.<a href="https://mastodon.social/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#passwords</a> <a href="https://mastodon.social/tags/passwordmanagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#passwordmanagers</a> <a href="https://mastodon.social/tags/passwordmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#passwordmanagement</a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>

Kevin Karhan :verified:<a href="https://mk.absturztau.be/@Linux" class="u-url mention" rel="nofollow noopener" target="_blank">@Linux</a> there are 3 big options you forgot that I know of which too ain't under <a href="https://infosec.space/tags/Cloudact" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cloudact</a> aka. have no subsidiary/office/parent company in the <a href="https://infosec.space/tags/USA" class="mention hashtag" rel="nofollow noopener" target="_blank">#USA</a>: <ul><li><a href="https://monocles.social/@monocles" class="u-url mention" rel="nofollow noopener" target="_blank">@monocles</a> (email, messaging, managed <a href="https://infosec.space/tags/nextcloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#nextcloud</a> hosting)</li><li><a href="https://mstdn.social/@Stuxhost" class="u-url mention" rel="nofollow noopener" target="_blank">@Stuxhost</a> (eMail & <a href="https://mastodon.xyz/@nextcloud" class="u-url mention" rel="nofollow noopener" target="_blank">@nextcloud</a> )</li><li><a href="https://social.nitrokey.com/@nitrokey" class="u-url mention" rel="nofollow noopener" target="_blank">@nitrokey</a> (a better alternative to <a href="https://infosec.exchange/@yubico" class="u-url mention" rel="nofollow noopener" target="_blank">@yubico</a> / <a href="https://infosec.space/tags/Yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#Yubikey</a>) </li></ul>And for <a href="https://infosec.space/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManagers</a>, there's also <a href="https://infosec.space/tags/Enpass" class="mention hashtag" rel="nofollow noopener" target="_blank">#Enpass</a> for those that don't like <a href="https://infosec.space/tags/KeePassXC" class="mention hashtag" rel="nofollow noopener" target="_blank">#KeePassXC</a> / <a href="https://infosec.space/tags/KeepPassDX" class="mention hashtag" rel="nofollow noopener" target="_blank">#KeepPassDX</a> / <a href="https://infosec.space/tags/KeePass" class="mention hashtag" rel="nofollow noopener" target="_blank">#KeePass</a> and for organizations there's even <a href="https://infosec.space/tags/Passbolt" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passbolt</a> as a centrally manageable solution. All of these allow <a href="https://infosec.space/tags/SelfCustody" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfCustody</a> & <a href="https://infosec.space/tags/SelfHosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfHosting</a> on-premise.

Micah Ilbery :sloth_coffee:The bitwarden android app is great, the browser extension is fine for the most part, but the desktop client is such an awful experience. It honestly makes me want to move to something like keepass where I can get a native client no matter the platform. But keeping keepass synced across devices I've heard is not a great experience as it wasn't designed with synchronization in mind. I wish there were more 3rd-party bitwarden clients for every platform because with mobile I'm pretty happy but on my laptop it's super frustrating. <a href="https://slothsneed.coffee/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#SelfHosting</a> <a href="https://slothsneed.coffee/tags/bitwarden" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bitwarden</a> <a href="https://slothsneed.coffee/tags/vaultwarden" class="mention hashtag" rel="nofollow noopener" target="_blank">#Vaultwarden</a> <a href="https://slothsneed.coffee/tags/android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> <a href="https://slothsneed.coffee/tags/gnome" class="mention hashtag" rel="nofollow noopener" target="_blank">#GNOME</a> <a href="https://slothsneed.coffee/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#Linux</a> <a href="https://slothsneed.coffee/tags/keepass" class="mention hashtag" rel="nofollow noopener" target="_blank">#KeePass</a> <a href="https://slothsneed.coffee/tags/passwordmanagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManagers</a>

TutaThe <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://mastodon.social/tags/Trinity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Trinity</a> - spotted at <a href="https://fosstodon.org/@bitwarden" class="u-url mention" rel="nofollow noopener" target="_blank">@bitwarden</a> explains how to secure your accounts with 2FA:👉 <a href="https://bitwarden.com/resources/presentations/the-triangle-of-security-success/" rel="nofollow noopener" translate="no" target="_blank">https://bitwarden.com/resources/presentations/the-triangle-of-security-success/</a>And rightly so: Because <a href="https://mastodon.social/tags/encrypted" class="mention hashtag" rel="nofollow noopener" target="_blank">#encrypted</a> email get even more secure with <a href="https://mastodon.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> and <a href="https://mastodon.social/tags/passwordmanagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#passwordmanagers</a> 💪Check out our top 3: <a href="https://tuta.com/blog/best-password-manager" rel="nofollow noopener" translate="no" target="_blank">https://tuta.com/blog/best-password-manager</a>

Recent searches

Search options

Administered by:

Server stats:

#passwordmanagers