Posts by tga@mastodon.xyz
(DIR) Post #3279709 by tga@mastodon.xyz
2019-01-23T07:40:57Z
0 likes, 0 repeats
@kaniiniYou do of course realize that leaked certs don't provide worse security than no cert...Right now, RCE on the most popular Linux distributions at public networks around the world is a simple mitmproxy away. This has happened repeatedly, and every time infosec says the same thing: TLS would have made this attack too expensive for 99% of attackers. All we ever hear back is inane comments like "it's just this once" or "we verify the signatures, it doesn't really matter".
(DIR) Post #3279840 by tga@mastodon.xyz
2019-01-23T07:48:34Z
0 likes, 0 repeats
@kaniiniOnce again, TLS would have stopped 99% of attackers, and stops them in the future. Who knows who else found this before it was disclosed? There will never be no security bugs. Nobody is going to stop looking for bugs. Just like nobody stopped looming for bugs in any other program that switched to TLS.
(DIR) Post #3279943 by tga@mastodon.xyz
2019-01-23T07:53:49Z
0 likes, 0 repeats
@kaniiniAnd in the process, stop countless abusive spouses, stalkers, and bosses from installing spyware on computers all over the world.But no, if it doesn't stop a state adversary, of course it serves no purpose in your self-absorbed thought experiment.
(DIR) Post #3279989 by tga@mastodon.xyz
2019-01-23T07:55:46Z
0 likes, 0 repeats
@kaniiniIt literally does in this case. I don't think you understand how hard it is to exploit a CA, versus how trivial this attack is.
(DIR) Post #3280114 by tga@mastodon.xyz
2019-01-23T08:00:50Z
0 likes, 0 repeats
@kaniiniOne of my coworkers has a stalker. You think this is outside of their threat model?
(DIR) Post #3280129 by tga@mastodon.xyz
2019-01-23T08:02:22Z
0 likes, 0 repeats
@kaniiniMy boss does not have physical access to my machine, and abusive spouses often do not live together.It's almost like you've never thought about these threat models.
(DIR) Post #3280350 by tga@mastodon.xyz
2019-01-23T08:11:17Z
0 likes, 0 repeats
@kaniiniI work in a security research lab, phishing isn't going to work, since this coworker, as you put it, won't "click on shit they don't know". The stalker does not have physical access, as is, once again, extremely common in these situations.In any case, you clearly know you're wrong about this, and are just arguing to save face at this point, so enjoy your haxord by teh pentag0n fantasies.
(DIR) Post #9loFm1AXh7WWYKpqeO by tga@mastodon.xyz
2019-08-12T05:25:49Z
3 likes, 0 repeats
@szbalint By that reasoning, Tor Browser, and even Firefox with anti-fingerprinting mode enabled, are also "acting in bad faith".
(DIR) Post #9loFm1dxvj3k1abLVo by tga@mastodon.xyz
2019-08-12T05:43:59Z
2 likes, 0 repeats
@szbalint Tor Browser and Firefox with anti-fingerprinting enabled spoof their user agent to reduce the ability of the server to run fingerprinting code on said useragent (e.g., they identify the OS as Windows, and decrease the version to the last ESR). The user doesn't opt in, and many serverers try to identify the user agent anyway using other avenues (e.g., TCP stack config). Some sites, like the NYT, will disable the site if they detect this behavior, because ads.
(DIR) Post #9loFm2Gbc3y3xQgCjw by tga@mastodon.xyz
2019-08-12T05:57:59Z
0 likes, 0 repeats
@szbalint your point was that mastalab was somehow acting in bad faith by using a user agent that let their users access the content they wanted, because it circumvented server-side blocks. I agree that the creators have made some disappointing decisions lately, but acting like spoofing a user agent is some nefarious ploy is a disingenuous description of a fairly standard practice.