mastodon.ie is one of the many independent Mastodon servers you can use to participate in the fediverse.
Irish Mastodon - run from Ireland, we welcome all who respect the community rules and members.

Administered by:

Server stats:

1.6K
active users

#authentication

3 posts3 participants1 post today

The UX of 2FA could be improved considerably, and security along with it, by using a circles of trust model.

Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.

But ...

(1/2)

Critical #CitrixBleed 2 #vulnerability has been under active #exploit for weeks

A critical vulnerability allowing #hackers to bypass #multifactor #authentication in network management devices made by #Citrix has been actively #exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild #exploitation.
#security #privacy

arstechnica.com/security/2025/

Ars Technica · Critical CitrixBleed 2 vulnerability has been under active exploit for weeksBy Dan Goodin
Replied in thread

@link2xt

I'M TROUBLED BY THE FOLLOWING:

The email was sent using oraclecloud servers, and when I checked the SPF records using the MXTOOLBOX.COM

I see what I think would be other authorized domains

v=spf1 exists:%{i}._i.%{d}._d.espf.agari-dns.net include:%{d}.ff.spf-protect.agari-dns.net include:_spf.salesforce.com include:spf.somedomain.com include:spf-d.somedomain.com include:spf-c.somedomain.com include:spf.protection.outlook.com -all

Pivot-Lite by Fors is a #free two-operator #virtual #FM #synth that uses similar approach as Elektron Digitone groovebox. It requires #registration for the #download but no #online #authentication, which is great.

I'm getting tired of audio #software developers requiring additional authentication software to run the software I buy with my own money. Companies like Steinberg require 5 different apps to run one of their instruments. Here is a developer for once that says no authorisation needed.

The @w3c Linked Web Storage specification aims to create #WebApps with loosely coupled components like data #storage and #authentication, unlike today's tightly integrated systems.
The "Linked Web Storage Use Cases" document is published as a Draft Note. It presents user stories, use cases, and necessary requirements.
▶️ w3.org/TR/lws-ucs/

You’re welcome to contribute! github.com/w3c/lws-ucs/

www.w3.orgLinked Web Storage Use CasesUser stories and use cases for the Linked Web Storage (LWS) spec.
Replied in thread

@relishthecracker : that's make belief.

"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.

Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.

Therefore:

1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;

2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;

3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:

• A malicious third party website manages to obtain a fraudulently issued certificate (examples: infosec.exchange/@ErikvanStrat);

• An attacker obtains unauthorised write access to the website's DNS record;

• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see github.com/w3ctag/design-revie);

4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).

Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.

Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.

However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.

@oliversampson @kaye

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins

Successful #evaluation for ESS: From May 26 to 18, 2025, a group of international scientists visited Karlsruhe to evaluate, among other things, the Topic Engineering Secure Systems (ESS). The guests came from ETH Zurich, the University of Wisconsin-Madison, and the University of Leuven, among others. ESS is one of three (sub)topics in the Program Engineering #Digital Futures (EDF) in the @helmholtz Research Field “Information.” We at SECUSO are involved in ESS as part of the Human and Societal Factors (HSF) research group. HSF presented the work of the research group in four demonstrators from the areas of #security #awareness, user #authentication, legal design patterns, and securing democracies. Further information can be found in the special issue on Topic Engineering Secure Systems: kastel-labs.de/wp-content/uplo

Rename `oauth-xx` org to `ruby-oauth`?

Intent of current name was to be a home for oauth tools across many languages, but it never materialized that way. The vestigial -xx is awkward for many reasons, and I think discoverability would improve with a ruby-* org name, and perhaps it could even bring in other oauth-related tools. I have a few thoughts about this, so 🧵

I'm very interested in others thoughts #Ruby #RubyFriends #OAuth #Authentication