Miscellaneous Tech News
-
-
@scottalanmiller said in Miscellaneous Tech News:
So you have HTTP, you DNS hijack, then you present a fake OAUTH or similar. I guess that makes sense.
Or even something "benign" like cryptomining. While not actively stealing credentials it can be an issue. Also using JS for keylogging, etc. The upstream JS stuff is more CSP but they all tie together.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
I had a user who actually made a Firefox account on first day after she logged in and opened got that 'you need a firefox account' page that mozilla sends people to.
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
-
@obsolesce said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
Correct. You need HSTS as well. And even then, it's only partial protection.
-
One could argue that having HTTPS in this authoritative way from Google is meant to produce fake "warm and fuzzies" that make people stop paying attention and assume all is well and ignore risks that might still be there.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
Correct. You need HSTS as well. And even then, it's only partial protection.
Yeah, the benefit of using HTTPS is when legit websites use it to encrypt the transmission sensitive information, not for security purposes IMO.
-
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
-
@kelly said in Miscellaneous Tech News:
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
That what a VPN is for, like FrootVPN.
-
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
That what a VPN is for.
VPN has a handoff at some point where it will be crossing into unencrypted land before it hits the end point. I can prevent my ISP from analyzing my immediate traffic, but I have no control over who can after it leaves the VPN provider.
-
@kelly said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
That what a VPN is for.
VPN has a handoff at some point where it will be crossing into unencrypted land before it hits the end point. I can prevent my ISP from analyzing my immediate traffic, but I have no control over who can after it leaves the VPN provider.
At that point it doesn't matter because it's not YOU it's coming from. So they analytics will be against the VPN server, not you.
-
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
That what a VPN is for, like FrootVPN.
Which is also exactly what HTTPS is.
-
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing. That may not be your point, but all the negative feedback relating to this topic is giving that impression. HTTPS is not a panacea and it will not create whirled peas, but it is better than not having it for a variety of reasons. There are edge cases where it is unnecessary, but is it necessary to automatically go there whenever something is brought up?
This is a trend that has bothered me about the tone here on ML. There are quite a few (what I think) are unnecessary arguments about things that are not important to the topic at hand. I've kept quiet about it thus far, but this discussion has prompted me to say something.
-
@kelly said in Miscellaneous Tech News:
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.
Nobody said it's a bad thing...
-
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.
Nobody said it's a bad thing...
Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.
Nobody said it's a bad thing...
Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.
To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.
-
@kelly said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.
Nobody said it's a bad thing...
Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.
To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.
Not to make this one of those, but I feel like, for me at least, this was productive. Because while it took a bit of back and forth, @stacksofplates exposed the OAUTH "style" risk that is very real and had not been considered. And then the HSTS necessity was brought up. WHich I think was good additional stuff.
Maybe it's too much back and forth, but isn't that how you test concepts to see what is useful and find nuances that were missed? We could skip all that, but wouldn't the discussion have less if we did?
-
@scottalanmiller said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@kelly said in Miscellaneous Tech News:
@Obsolesce and @scottalanmiller I'm not sure why the two of you seem to be arguing that this is a bad thing.
Nobody said it's a bad thing...
Agreed. Just arguing that using HTTP in some cases wasn't irresponsible.
To what end? There are a lot nits that get picked on this site that cause the discussion to go off the rails for no real purpose that I can perceive. You're not wrong, but did that improve the discussion in any way? I'm not pointing fingers at you in particular, this thread is just one of many where this has happened. I don't know that anything will change, but it bothers me how quality discussions devolve into a back and forth about one point that is tangential to the main focus, and not in a healthy discussion way.
Not to make this one of those, but I feel like, for me at least, this was productive. Because while it took a bit of back and forth, @stacksofplates exposed the OAUTH "style" risk that is very real and had not been considered. And then the HSTS necessity was brought up. WHich I think was good additional stuff.
Maybe it's too much back and forth, but isn't that how you test concepts to see what is useful and find nuances that were missed? We could skip all that, but wouldn't the discussion have less if we did?
If value is derived from the discussion, then I'm all for it. I did not have the impression from the responses that the respondents to @stacksofplates posts were getting anything from them aside from more things to "discuss". This current discussion is not alone in my opinion. But, perhaps I'm being overly sensitive and am reading too much into things.
-
@kelly said in Miscellaneous Tech News:
But, perhaps I'm being overly sensitive and am reading too much into things.
Probably this IMO.
Valid points were made, additional considerations were brought to light, more understanding and concepts came from it... that's how things progress.
If only a single aspect of something is talked about, and all else is not considered, well I think that's dangerous and how misconceptions and misinformation can form.
-
<opinion>Twitter: We don't shadow ban, but we make it so people's tweets don't show up in feeds if we don't like them</opinion>