Today I learned: While Firefox supports WebAuthn, it doesn't support the full spec.

When you require user verification, firefox will act like no FIDO2 key is attached and ask you to attach one.

This is a rather annoying bug. Chromium asks you to provide setup a PIN and if possible asks you for it.

Definitely needs some work before we can roll it out to the masses.

In order to secure your from the attack, you should keep all writable data on a volume that is mounted with `noexec`. Of course you should also make sure you have your setup up-to-date and check the current security best-practices for nextcloud.

Finally you should also make sure you have very regular backups of your data, don't consider synchronized data as backup.

You might don't want to stay around I'm sorry for the guys working there, but not only do they have to comply with this court rule which forces them to provide some information in plaintext to the police, it also shows the biggest problem with their system:

Nonstandardized proper end-to-end encryption.

Just use OpenPGP with a generated key *on your device* and a regular IMAP inbox.

sueddeutsche.de/digital/tutano

[Repost due to dead URL]

There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

git.shivering-isles.com/contai

If you still use 7, you might want to keep in mind that it's end-of-life at 14th January 2020.

This means you are at latest with the begin of February in significant risk to become part of Botnet that might just attacks other people, but could also steal your data, fool your online banking and delete everything from your computer.

Please talk to your kids, parents, friends, whoever your local tech support is, for help in order to switch away from Windows 7.

Interesting Twitter Threads about "first start" browser communication:

: twitter.com/jonathansampson/st

: twitter.com/jonathansampson/st

: twitter.com/jonathansampson/st

Others: twitter.com/jonathansampson/st

It's amazing and concerning at the same time to see the amount of data that is transmitted by browsers nowadays. Keep in mind: None of those browser have been used. Just 20 minutes of idling.

This is a very great OIDC overview. If are about to implement an application, you should consider using this for your user backend.

If you are a user and want to know how "Sign-in with Google" or "Sign-in with Facebook" works, this is your chance.

youtube.com/watch?v=t18YB3xDfX

Quick blog post I worked on a few days ago and finally got released:

shivering-isles.com/Why-for-Ma

TL;DR: Due to 's current architecture for using TOFU would be to dangerous. But with Cross-signing up coming, things will get better.

I spend some time of my evening tinkering with my notebook's settings and a UEFI update. In order to make it easier for you, I wrote a little summary on how I did it and how maybe your next firmware update looks like:

shivering-isles.com/Updating-U

Make the makeup industry wonder about what happened to their customer base:

mullvad.net/en/blog/2016/12/14

Why not go and buy some nice nail polish tomorrow in order to make sure hardware temper proven?

TL;DR:

1. Put stickers on the screw of your notebook
2. Mark them out with nail polish
3. Take high-respolution pictures of the setup
4. Verify changes over time
5. Refresh before entering potential temper situations

Realy great article about Hardware security tokens:

paulstamatiou.com/getting-star

It contains a ton of information for people who want to learn a bit about modern security tools :)

Some "lessons learned" from the whole disaster:

1. Revoke keys when you notice the private key was compromised
2. Use HSMs to prevent private keys from getting compromised
3. Inform your customers about breaches
4. Do proper audit logging of your systems' user accounts
5. Use your own OS images, when installing machines
6. Run an IDS to get informed when your production systems act unusual
7. Spend more money on infrastructure security, less on marketing it

If you look for a hardening guide for your linux system, I can recommend "The practical linux hardening Guide" by trimstray.

trimstray.github.io/the-practi

Why?

1. It's based on SCAP policies.
2. It uses standards
3. It provides you with references and rationals, not just actions

This will allow you to consider whenever or not you should apply this configuration to your setup.

Ouch There are good reasons why you want to keep data within your infrastructure.

Every thirdparty can leak your data and then you have to clean the mess with your customers:

twitter.com/troyhunt/status/11

Example: Hosted was breached Hello fancy companies who have to tell me my data were exposed?

I wonder how many companies now bother to inform their customers.

So the Comodo forum was breached due to the vBulletin vulnerability that goes around recently.

They started their statement with:
At Comodo we take security very seriously and it is our highest priority.

I imagine the conversation like this: "We screwed up, " *lawyer checks the text* "We can't write this, we would make us liable in some way for this problem"

Why does our legal system (create the illusion to) punish those who tell the truth?

Mhm, I just decided to disable in my setup, but I neither consider it usable, nor safe to use.

Background:
1. I have no idea where the keys reside (and therefore how to make proper backups)
2. It turns of all indicators for signed and/or encrypted emails that enigmail provides, off and states that there is a recipient rule (which isn't shown in the UI)
3. I don't think people care enough about their autocrypt keys.

Reference:
autocrypt.org

To be honest, the way of using `use-application-dns.net` being blocked by **unauthenticated**, regular DNS servers is the worst idea one could come up with.

It makes it trivial to perform a downgrade attack on any network and makes a lot of the promises DoH by default provides useless.

There are good reasons why we don't allow downgrades on other protocols, so why suddenly on HTTP?

The answer is as always "we don't want to break [wrongly setup] things".

And also a follow up on my traefik story, where an upgrade of the go version dropped the defaults for TLS connections down to SSLv3, instead of TLS1.0.

The wonderful team around traefik solved the problem and released a new version within 2 days:

github.com/containous/traefik/

That's how things should work!

Little follow up on my earlier statement about Desktop and the `--no-sandbox` argument they force on linux now.

I didn't just made noise on my social media but of course also (tried to) work with the upstream project. Sadly it seems like they don't care:

github.com/signalapp/Signal-De

5 work days and no one even had a look at it. Great Maybe I should write a PR this weekend in hope it gets more attention.

Seriously, verify your systems after an update. Only continuous monitoring of security features will make sure you don't expose people to insecure systems over time.

github.com/containous/traefik/

This morning I had to notice that my traefik setup decided to downgrade its defaults to SSLv3 due to a bug in the go TLS library.

So yeah, if you run anything server-side that provides TLS and is build with go 1.12.x you might want to verify it.

Show more

Sheogorath 's choices:

Sheogorath's Microblog

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!