fsebugoutzone.org:9999

       Post AzV8zX2wYFinUhn3cO by filippo@abyssdomain.expert
 (DIR) More posts by filippo@abyssdomain.expert
 (DIR) Post #AzV8zX2wYFinUhn3cO by filippo@abyssdomain.expert
       2025-10-23T12:34:24Z
       
       0 likes, 0 repeats
       
       Serious take: the solution to Safe Browsing false positives like the Immich one is passkeys.Phishing regularly upends people&#39;s lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
       
 (DIR) Post #AzV8zYJdpeflQmbuHg by whitequark@mastodon.social
       2025-10-23T12:39:53Z
       
       1 likes, 0 repeats
       
       @filippo I&#39;m sure you know this already, but I really wish the messaging around passkeys was less... bullshitI&#39;ve been a happy user for many months and have zero qualms (other than &quot;the outdated version of android i self-sign doesn&#39;t do them cross-app&quot; but this one is a rather self-inflicted problem), whereas basically everyone i engage in a dialogue with thinks passkeys are something they&#39;re not and something they&#39;re certain of they can&#39;t use even if they wanted
       
 (DIR) Post #AzV8zZri4TWCEjYd1c by wolf480pl@mstdn.io
       2025-10-23T12:57:41Z
       
       0 likes, 0 repeats
       
       @whitequark@filippo IMO the messaging around passkeys gives off very strong vendor lock-in vibes.
       
 (DIR) Post #AzV9Bu2QtW3EHERyoC by whitequark@mastodon.social
       2025-10-23T12:59:55Z
       
       0 likes, 0 repeats
       
       @wolf480pl @filippo it would seem so; my conclusion is that&#39;s probably less &quot;intentional&quot; and more because &quot;the vendors in question haven&#39;t been taxed properly in forever, sit on giant piles of rent cash, and forgot how to do anything but rent-seeking institutionally&quot;
       
 (DIR) Post #AzVEQlwrkncdIkkwXg by filippo@abyssdomain.expert
       2025-10-23T13:58:37Z
       
       0 likes, 0 repeats
       
       @wolf480pl @whitequark to this day I do not understand the lock-in argument: just register two passkeys if you&#39;re worried! Or do a password/passkey reset if you lose access. These are both not super user friendly options, but neither is exporting passwords from a password manager?
       
 (DIR) Post #AzVFRGN2kEQNbmnYBs by wolf480pl@mstdn.io
       2025-10-23T14:09:56Z
       
       0 likes, 0 repeats
       
       @untitaker@filippo @whitequark Doesn&#39;t the import/export work only between instances of the same app, with some cryptographic handshake between them?
       
 (DIR) Post #AzVFyyCKohhT5nrVfE by whitequark@mastodon.social
       2025-10-23T14:02:58Z
       
       0 likes, 0 repeats
       
       @filippo @wolf480pl IMO the lock-in argument is wrong because you can &quot;simply use KeepassXC&quot; which is what i&#39;ve been doing for 15 years now. I didn&#39;t want Google to have my passwords and it doesn&#39;t; I don&#39;t want it to have my passkeys (certainly not after a Google Authenticator update fucking _erased all of the TOTP codes_, how this passed any QA is beyond me) and it doesn&#39;t
       
 (DIR) Post #AzVFyzXznecZHH0K48 by wolf480pl@mstdn.io
       2025-10-23T14:16:00Z
       
       0 likes, 0 repeats
       
       @whitequark@filippo what if passage but for passkeys?
       
 (DIR) Post #AzVNQ6Q13mK05Q98HA by wolf480pl@mstdn.io
       2025-10-23T15:39:23Z
       
       0 likes, 0 repeats
       
       @untitaker@filippo  I think in the long run it&#39;d be nice if all those websites could provide a standardized API so that you could rotate your passwords / passkeys / etc on all websites from within your password manager. That could then also be used to migrate to a different password manager.But until then, I agree export is the only viable option. @whitequark mentioned KeePass has that, so there&#39;s one option at least.
       
 (DIR) Post #AzVfuDaEmfVoAcRAAa by filippo@abyssdomain.expert
       2025-10-23T16:56:36Z
       
       0 likes, 0 repeats
       
       @untitaker @wolf480pl @whitequark serious question: how many users do you think ever bulk exported passwords from a password manager, as a proportion of all users that ever used a password?IMHO, bulk export is a niche use case, and per-site migration is solved by &quot;add another passkey&quot; or &quot;reset flow&quot;.
       
 (DIR) Post #AzVfuEyNcOPyTmjxRI by whitequark@mastodon.social
       2025-10-23T16:58:05Z
       
       1 likes, 0 repeats
       
       @filippo @untitaker @wolf480pl I disagree that this is a valid way to judge the feature. &quot;bulk export&quot; is primarily an _emergency_ feature: used only when the vendor of the password manager is, or is close to becoming, untrustworthy.saying &quot;well only 0.0x% of users ever used Google Takeout, so it is a niche feature, and anyway you should go and download every of your documents one by one in that case&quot; is missing the point
       
 (DIR) Post #AzViTEe11zZzVL1tKb by wolf480pl@mstdn.io
       2025-10-23T19:35:15Z
       
       0 likes, 0 repeats
       
       @growse @whitequark @filippo @untitaker You can only choose an implementation if it&#39;s impossible for the relying party to figure out which implementation you chose.As soon as the RP can see what implementation you&#39;re choosing, they can force you to choose a particular one that aligns with their threat model or their economic interest.
       
 (DIR) Post #AzWj2U280AU0Wf4jzM by wolf480pl@mstdn.io
       2025-10-24T07:16:21Z
       
       0 likes, 0 repeats
       
       @filippohow do you do per-site migration on 200+ websites at once?@untitaker @whitequark