But if someone can get a fake cert, anything goes.
I agree that it'd be nice if there was key storage like ssh too, it would close the fake cert option for sites one visits, but the key itself is as safe as accurately typing the domain name as far as preventing MITM.
They don't believe a natural monopoly can exist, and they believe that the market is perfect, and if companies abuse their monopoly position some other company will magically run wires everywhere.
They believe that 2 companies running wires everywhere and competing down to zero margin is going to lead to lower costs than one company running them everywhere and having a large margin, because magic of competition.
I hope that 5g means there can be some actual competition, at least in some denser areas, but I'm skeptical it will live up to all that hype.
It'd be great if individuals gave a flying fuck about me.
But they don't.
I live in a city that votes 80% democrat, it leads to corruption (I'm a democrat, but I can see the corruption that a single party breads).
You'd think that in a place like this where the greens have both a chance of winning and zero chance to spoil the election for liberals they would field a candidate.
But no, they choose not to, instead to focus on elections where they have zero chance of winning and a small chance of spoiling.
This goes for independents that represent my interests too, though in the north east independents seemed to have figured out they can run.
So I'm left with voting for individuals from two specific parties.
So this would be blocked if PayPal allowed non SMS 2FA to send money? (Similar to any bitcoin or brokerage account I've used)
A nuisance I would likely leave off, since PayPal is about being convenient and I'm pretty sure they'd roll it back (and if not them, my credit card company would), but they really should have the option to secure it if one wants to.
If they allowed 2FA (not SMS) for all unreliable vendors and person to person transfer that'd probably be a nice compromise.
Having SMS only for 2FA is a big issue though, since it allows an app to do the 2FA without the user intervening at all.
I thought FIDO was un MITMable (not quite sure how, but that's their premise).
You need the system itself to have a direct channel to the key (and that to actually be secure), and then the key sends a response.
So basically PayPal sends challenge that goes directly to the key, key sends response directly to PayPal. Malicious app (or website) cannot get in the center of this, because, I don't know, reasons I guess.
I suspect that there is a public key for the destination that is published somehow and therefore the response can't be intercepted. Similarly the challenge can be signed so that it is verified from coming from the correct source.
I guess if it's mimicking clicks using an authenticator app doesn't help.
It looks like to spoof U2F, at the very least they'd need to compramise a cert authority. That seems like it would prevent SMS hijacking and the vast majority of MITM
I'd think that SMS as the only 2FA option is a problem with paypal.
There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.
Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.
SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an automated attack.
I agree, if eSports are to be an Olympic event, there needs to be some F/OSS software game that the Olympic committee maintains and tweaks the rules to.
It seems wrong to have a specific companies trademarks involved in the actual event, and also likely puts them at the mercy of a third party on if they're even allowed to broadcast events and what not.
Slashdot Mirror
So, I admit it's a step above what I can quite clearly see the details of, but it seems to me that you need to store the salt client side to login?
If that's the case doesn't one effectively need a fob to use at more than one computer?
So we're already at the global peak of non fossil fuels?
https://data.worldbank.org/ind...
It wasn't new and shiny. It was cheap.
It was known to be inferior, but thought to be good enough (it wasn't).
Yeah, because when you think you're logging in, and then your phone asks if you're logging in, you'll never click that you're logging in, good call.
Or maybe actually it offers no extra protection for this type of attack.
Why won't this concept work with the authenticator?
A big flaw with authenticators, even separate ones is that they are vulnerable to dummy sites.
How does dnssec prevent this? The person is already at a false domain.
Sure,
But if someone can get a fake cert, anything goes.
I agree that it'd be nice if there was key storage like ssh too, it would close the fake cert option for sites one visits, but the key itself is as safe as accurately typing the domain name as far as preventing MITM.
No.
They intercept the login, and then MITM it.
They pass on the username and password to Google, and then Google sends them a text.
They then enter the text on the fake screen (or do a one tap, or I assume they can even work with the authenticators).
This is why U2F is important, without getting a compromised registrar it can't be MITMed.
Aside from for security or DOS prevention, do sites really add firewall rules and drop packets?
Seems odd.
Yeah, voting for people that don't want to represent me, a winning strategy.
Do those services throttle their packets to some places and not others?
People definitely believe this.
They don't believe a natural monopoly can exist, and they believe that the market is perfect, and if companies abuse their monopoly position some other company will magically run wires everywhere.
They believe that 2 companies running wires everywhere and competing down to zero margin is going to lead to lower costs than one company running them everywhere and having a large margin, because magic of competition.
I hope that 5g means there can be some actual competition, at least in some denser areas, but I'm skeptical it will live up to all that hype.
It'd be great if individuals gave a flying fuck about me.
But they don't.
I live in a city that votes 80% democrat, it leads to corruption (I'm a democrat, but I can see the corruption that a single party breads).
You'd think that in a place like this where the greens have both a chance of winning and zero chance to spoil the election for liberals they would field a candidate.
But no, they choose not to, instead to focus on elections where they have zero chance of winning and a small chance of spoiling.
This goes for independents that represent my interests too, though in the north east independents seemed to have figured out they can run.
So I'm left with voting for individuals from two specific parties.
So this would be blocked if PayPal allowed non SMS 2FA to send money? (Similar to any bitcoin or brokerage account I've used)
A nuisance I would likely leave off, since PayPal is about being convenient and I'm pretty sure they'd roll it back (and if not them, my credit card company would), but they really should have the option to secure it if one wants to.
If they allowed 2FA (not SMS) for all unreliable vendors and person to person transfer that'd probably be a nice compromise.
Having SMS only for 2FA is a big issue though, since it allows an app to do the 2FA without the user intervening at all.
I thought FIDO was un MITMable (not quite sure how, but that's their premise).
You need the system itself to have a direct channel to the key (and that to actually be secure), and then the key sends a response.
So basically PayPal sends challenge that goes directly to the key, key sends response directly to PayPal. Malicious app (or website) cannot get in the center of this, because, I don't know, reasons I guess.
I suspect that there is a public key for the destination that is published somehow and therefore the response can't be intercepted. Similarly the challenge can be signed so that it is verified from coming from the correct source.
I guess if it's mimicking clicks using an authenticator app doesn't help.
It looks like to spoof U2F, at the very least they'd need to compramise a cert authority. That seems like it would prevent SMS hijacking and the vast majority of MITM
https://security.stackexchange...
I'd think that SMS as the only 2FA option is a problem with paypal.
There's been multiple reports of SMS hijacking (usually with social engineering at a phone company) leading to theft.
Sure, "Retrieve Window Content" likely invalidates most other 2FA on the same phone, but I suspect that that FIDO U2F would be immune from this type of attack. Or a Google Authenticator keyboard similar to what password safe does.
SMS is almost certainly not secure, and as we see here, it really doesn't even protect from an automated attack.
Exactly,
The IOC shouldn't have sports that are controlled the way they do, but by a different company.
I agree, if eSports are to be an Olympic event, there needs to be some F/OSS software game that the Olympic committee maintains and tweaks the rules to.
It seems wrong to have a specific companies trademarks involved in the actual event, and also likely puts them at the mercy of a third party on if they're even allowed to broadcast events and what not.
That's not true.
Outside a court of law hearsay and even double hearsay is pretty acceptable.
Can people control their eye dilation like that?
Are you pulling non Unix specifically to describe all *nix?
BSD...
Wasn't most commercial unix binary only for most of its history?
Linux backwards compatibility with closed source apps has bitten me twice.
The 64 bit transition and a glibc update back when bungie was making Linux software.
I suspect that if it works they'll try to developed a once monthly patch.
Isn't that effectively what they did?
Gave hints on where to go, and then let trial and error create a better player?