Samuel Lison :lagr_elephant:<p><span class="h-card" translate="no"><a href="https://social.lol/@techlore" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>techlore</span></a></span> proton pass is good in that your data on proton pass is fully <a href="https://social.familylison.com/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>encrypted</span></a>. So if you use a hardware based <a href="https://social.familylison.com/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a> such as a <a href="https://social.familylison.com/tags/yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yubikey</span></a> to secure the main account, and have all your other accounts within use software based passkeys and 2FA, wouldn't be as much of a risk even if Proton Pass got breached as a service.</p>
Recent searches
No recent searches
Search options
Only available when logged in.
pawb.fun is one of the many independent Mastodon servers you can use to participate in the fediverse.
This instance aimed at any and all within the furry fandom, though anyone is welcome! We're friendly towards members of the LGBTQ+ community and aiming to offer a safe space for our users.
Administered by:
Server stats:
297active users
pawb.fun: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.6+glitch
#yubikey
2 posts · 2 participants · 0 posts today
Privacy Guides<p>If you are looking for a good password manager you can use from anywhere, there are plenty of excellent options to choose from. However, if you prefer to only store your passwords locally, KeePassXC is what you need. In our latest tutorial, we'll walk through setting up KeePassXC to work with your YubiKey as an additional factor to secure your local-only password database.</p><p><a href="https://www.privacyguides.org/articles/2025/03/18/installing-keepassxc-and-yubikey/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">privacyguides.org/articles/202</span><span class="invisible">5/03/18/installing-keepassxc-and-yubikey/</span></a></p><p><a href="https://mastodon.neat.computer/tags/KeePassXC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KeePassXC</span></a> <a href="https://mastodon.neat.computer/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a> <a href="https://mastodon.neat.computer/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://mastodon.neat.computer/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Privacy</span></a> <a href="https://mastodon.neat.computer/tags/KeePass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KeePass</span></a> <a href="https://mastodon.neat.computer/tags/KeePassX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>KeePassX</span></a> <a href="https://mastodon.neat.computer/tags/PrivacyGuides" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyGuides</span></a> <a href="https://mastodon.neat.computer/tags/Article" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Article</span></a></p>
Em :official_verified:<p>New Privacy Guides article 🔑✨<br>by me: </p><p>If you are using a YubiKey, </p><p>you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.</p><p>This tutorial will guide you <br>through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.</p><p>I hope you find it helpful!</p><p><a href="https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">privacyguides.org/articles/202</span><span class="invisible">5/03/06/yubikey-reset-and-backup/</span></a></p><p><a href="https://infosec.exchange/tags/PrivacyGuides" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyGuides</span></a> <a href="https://infosec.exchange/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Privacy</span></a> <a href="https://infosec.exchange/tags/Yubico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubico</span></a> <a href="https://infosec.exchange/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/OTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTP</span></a> <a href="https://infosec.exchange/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenPGP</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a></p>
Privacy Guides<p>Always remember, when it comes to hardware security keys: Two is one, one is none.</p><p>Our latest article covers the setup process for two YubiKeys (from Yubico's YubiKey 4 or 5 series) to keep your online accounts safe and secure 🔒 + it goes through resetting your existing keys to a blank slate, and the reasons you might want to do so!</p><p><a href="https://www.privacyguides.org/articles/2025/03/06/yubikey-reset-and-backup/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">privacyguides.org/articles/202</span><span class="invisible">5/03/06/yubikey-reset-and-backup/</span></a></p><p><a href="https://mastodon.neat.computer/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a> <a href="https://mastodon.neat.computer/tags/HardwareSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HardwareSecurity</span></a> <a href="https://mastodon.neat.computer/tags/Privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Privacy</span></a> <a href="https://mastodon.neat.computer/tags/Yubico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubico</span></a> <a href="https://mastodon.neat.computer/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://mastodon.neat.computer/tags/PrivacyGuides" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrivacyGuides</span></a> <a href="https://mastodon.neat.computer/tags/Article" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Article</span></a></p>
benzogaga33 :verified:<p>Hey la Mastonie, tu sais Sil est possible pour l'authentification multifacteurs, d'ajouter plusieurs <a href="https://mamot.fr/tags/yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yubikey</span></a> à un compte de services en ligne type Google , PayPal, etc<br>Merci d'avance <br>Le repouet donne des ailes :blobcatheart: <br><a href="https://mamot.fr/tags/help" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>help</span></a><br><a href="https://mamot.fr/tags/aide" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>aide</span></a></p>
Forst<p>One thing not directly mentioned in release notes for <a href="https://mastodon.social/tags/Firefox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Firefox</span></a> 135, you can now use passkeys (e.g. on a <a href="https://mastodon.social/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a>) to encrypt your vault in <a href="https://mastodon.social/tags/Bitwarden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bitwarden</span></a>. This means you will only need your passkey to unlock it, no need to enter the master password.</p>
D4rk$ign$<p><span class="h-card" translate="no"><a href="https://mastodon.social/@Tutanota" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Tutanota</span></a></span> <br><a href="https://mastodon.social/tags/passbolt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passbolt</span></a> for password management<br><a href="https://mastodon.social/tags/sentinelone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sentinelone</span></a> for client security<br><a href="https://mastodon.social/tags/yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yubikey</span></a> for keys<br><a href="https://mastodon.social/tags/trezor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>trezor</span></a> for crypto and keys<br><a href="https://mastodon.social/tags/GPG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GPG</span></a> in general as security<br><a href="https://mastodon.social/tags/proton" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>proton</span></a> for mails<br><a href="https://mastodon.social/tags/Torbrowser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Torbrowser</span></a>/brave browsing<br><a href="https://mastodon.social/tags/Reverseproxy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Reverseproxy</span></a><br><a href="https://mastodon.social/tags/Tailscale" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tailscale</span></a> for secure private network mesh</p>
Maruno Ulfdrengr<p>I am a bit surprised from the <a href="https://bark.lgbt/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a> that the NFC basically can't really be used when it comes to passkeys or am I missing something? It never seems to work on my pixel 7 or the option is not given.</p>
Flippin' 'eck, Tucker!<p>Wow, finally! If you use the Bitwarden desktop app on Linux, the latest release now allows you to use a Yubikey to authenticate if you have one configured</p><p><a href="https://social.chatty.monster/tags/Bitwarden" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bitwarden</span></a> <a href="https://social.chatty.monster/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> <a href="https://social.chatty.monster/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a></p>
Forst<p>I should probably note that I'm doing all of this on <a href="https://mastodon.social/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a> as much as possible, rather than using <a href="https://mastodon.social/tags/1Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>1Password</span></a> or the system keychain. <a href="https://mastodon.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkeys</span></a> <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a></p>
Stealthy<p>Well, hello there people!<br>I'm posting this, because I need your help.<br>There are lots and lots of different security keys out there such as:<br><a href="https://dragonscave.space/tags/yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yubikey</span></a> <a href="https://dragonscave.space/tags/tillitis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tillitis</span></a> and others.<br>Has anyone out here in the world of Mastodon tried multiple keys?<br>I'm gravitating towards the yubi key to be honest, however there's one huge downside, it's not foss and I'm not one to believe in security through obscurity.<br>I would like it to work on <a href="https://dragonscave.space/tags/android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>android</span></a> <a href="https://dragonscave.space/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>linux</span></a> and Windows.<br>I'm hoping to get an unbiased outlook at the difference through this post and make an informed choice.<br>I'd like to be able to use the security key login on websites, and Fido2 would be nice, same with TOTP. I also want to use ssh and github through this key.<br>Thanks in advance for your contributions! :). Also, feel free to mention a key that is going to add the features mentioned, I'll still be happy to buy it and wait a while.</p>
AmyFou 🕊️<p>So the USian 'research.gov' system just did a big security update and last week I set up my hardware key and everything worked great.</p><p>This morning, I super need to log in, and the f********g system won't recognize the hardware key. FFS. WTAF.</p><p><a href="https://lingo.lol/tags/tantrum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tantrum</span></a> <a href="https://lingo.lol/tags/yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>yubikey</span></a> <a href="https://lingo.lol/tags/usb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>usb</span></a> <a href="https://lingo.lol/tags/nsf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>nsf</span></a></p>
Forst<p>imo <a href="https://mastodon.social/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Apple</span></a>'s release cycle is hurting <a href="https://mastodon.social/tags/Passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkey</span></a> adoption. This bug [1] has been reported over a month ago, still not fixed in a production release, only in a developer beta. I suppose it doesn't affect particularly many people, but imagine getting a new <a href="https://mastodon.social/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a>, excited, and it just doesn't work. Not a good introduction to passkeys, eh?</p><p>[1]: <a href="https://support.yubico.com/hc/en-us/articles/16726447752732-Safari-18-1-upgrade-MacOS-iOS-iPadOS-FIDO-PIN-issue-with-FIDO-CTAP-2-1-security-keys" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">support.yubico.com/hc/en-us/ar</span><span class="invisible">ticles/16726447752732-Safari-18-1-upgrade-MacOS-iOS-iPadOS-FIDO-PIN-issue-with-FIDO-CTAP-2-1-security-keys</span></a></p>
yawnbox :rebel:<p>I've written a new blog post taking a moderately deep dive into "Threat Modeling YubiKeys and Passkeys"</p><p><a href="https://yawnbox.is/blog/threat-modeling-yubikeys-and-passkeys/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">yawnbox.is/blog/threat-modelin</span><span class="invisible">g-yubikeys-and-passkeys/</span></a></p><p>I greatly welcome feedback as I want to make sure I'm not misrepresenting anything. I want to make it better if it can be improved. I'm happy to be wrong, just please provide details and links!</p><p>also, i need a job! if you like my work, maybe you know of something where i'd be a good fit.</p><p><a href="https://disobey.net/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://disobey.net/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://disobey.net/tags/IAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IAM</span></a> <a href="https://disobey.net/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://disobey.net/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebAuthn</span></a> <a href="https://disobey.net/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a> <a href="https://disobey.net/tags/YubiKeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKeys</span></a> <a href="https://disobey.net/tags/passkey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkey</span></a> <a href="https://disobey.net/tags/passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>passkeys</span></a> <a href="https://disobey.net/tags/GetFediHired" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GetFediHired</span></a></p>
Jonathan859Backup<p>Hmm, actually thinking about getting a <a href="https://dragonscave.space/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a>. The YubiKey Bio seems interesting to me, since it has this fingerprint thing so if it get's stolen, still only I can use it. Anyone of you guys using such a thing? How useful is it actually, and which one would you recommend?</p>
ChiefGyk3D<p>It still irks me that <a href="https://social.chiefgyk3d.com/tags/Bluesky" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bluesky</span></a> still doesn't have proper MFA and their version is just Email. I would really love to use my <a href="https://social.chiefgyk3d.com/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a>! Threads is using OATH TOTP at least as is my crossposting tools, but my <a href="https://social.chiefgyk3d.com/tags/Mastodon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mastodon</span></a> is using FIDO/WebAuthn. <a href="https://social.chiefgyk3d.com/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://social.chiefgyk3d.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://social.chiefgyk3d.com/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a></p>
stux⚡<p>Internet Archive Lost The Fight & YubiKey Vulnerability</p><p><a href="https://mstdn.social/tags/ThreatWire" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatWire</span></a> <a href="https://mstdn.social/tags/InternetArchive" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InternetArchive</span></a> <a href="https://mstdn.social/tags/YubiKey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>YubiKey</span></a> </p><p><a href="https://www.youtube.com/watch?v=wA3HZ738PrQ" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=wA3HZ738Pr</span><span class="invisible">Q</span></a></p>
Flippin' 'eck, Tucker!<p>I have proved experimentally (although unexpectedly) that spilling half a litre of water all over a Yubikey 5C does not in fact stop it working. At least not if you give it a few hours in a warm, dry place.</p><p><a href="https://social.chatty.monster/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a></p>
Forst<p>Given the recent ECDSA side channel attack, and <span class="h-card" translate="no"><a href="https://social.kernel.org/users/monsieuricon" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>monsieuricon</span></a></span> reminding of using FIDO2 for SSH auth, got this fresh harvest of <a href="https://mastodon.social/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a> devices :></p>
Erik van Straten<p>🟡 INTRODUCTION/BACKGROUND<br>It has become *way too easy* and cheap, to anonymously (or lying about identity) register a domain name, hire or hack a server and obtain a valid DV (Domain Validated) server certificate.</p><p>Furthermore, possibly *stimulated* by the fact that most servers now use DV-certificates, (web) browsers have made it increasingly hard for internet users to view certificate details, without providing any alternatives for those users to distinguish between misleading fake and real (authentic) setvers.</p><p>A steadily increasing number of internet servers is now *anonymous* (it has been *deliberately* made impossible to reliably find out who is responsible), which has lead, and still leads, to huge amounts of unneccesary victims of phishing.</p><p>This causes enormous financial losses to individuals, companies, governmental and healthcare organizations - while most of that money flows into the pockets of criminals who often operate from regimes that are our enemies. Thereby, indirectly or directly, enriching those regimes (the rest of the stolen money flows into the pockets of hosting-, cloud- and CDN providers, as well as DNS registrars and domain name parking services).</p><p>Note: a server certificate never directly warants reliability of the owner of a domain name. However, in order to distinguish between fake and real servers or websites, it is essential that users know who is *responsible* and in which country they are established or live. Eventually, if neccessary, to be able to sue them.</p><p>🟡 From <a href="https://www.theregister.com/2024/09/03/white_house_bgp_security/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theregister.com/2024/09/03/whi</span><span class="invisible">te_house_bgp_security/</span></a>:<br>«<br>White House thinks it's time to fix the insecure glue of the internet: Yup, BGP<br>3 Sep 2024, 22:34 utc - Thomas Claburn<br>[...]<br>"As initially designed and commonly operating today, BGP does not provide adequate security and resilience features for the risks we currently face," the report (<a href="https://whitehouse.gov/wp-content/uploads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">whitehouse.gov/wp-content/uplo</span><span class="invisible">ads/2024/09/Roadmap-to-Enhancing-Internet-Routing-Security.pdf</span></a>) [PDF] says. "Concerns about fundamental vulnerabilities have been expressed for more than 25 years."<br>»</p><p>🟡 IMO, to not *first* fix WebPKI is plain *stupid* because:</p><p>➡️ If the *combination* of:<br>🔸 A *decent* WebPKI {1}, *and*<br>🔸 Improved browsers {2}, *and*<br>🔸 User education {3},<br>*enables* internet users to reliably distinguish between fake and real (authentic) servers, then the necessity for RPKI decreases enormously {4};</p><p>➡️ Apart from the fact that RPKI is fully hidden for internet users (they *neither* know whether it's used for their current IP-connections, and if that happens to be the case, *nor* how reliable the authentication of the parties involved took place), RPKI does *not* solve a much bigger problem: DNS-hijacks.</p><p>➡️ A decent WebPKI effectively mitigates the following vulnerabilities (in the order of most to least occuring):<br>🔸 People not knowing who is responsible for a given (often misleading) domain name;<br>🔸 DNS hijacks/attacks;<br>🔸 BGP hijacks;<br>🔸 AitM's {5} "near" the real server who unrightfully obtain DV-certificates.</p><p>Edited to add 2024-09-05 21:59 {<br>WebAuthn (as used by FIDO2 hardware keys and by passkeys) *ONLY* protects against the first vulnerability (in people who don't know that a given domain name does not belong to the apparent owner, but instead to an impostor). WebAuthn's phishing-resistance ceases to exist if a fake website obtains any type of certificate. However, while it's extermely easy for an attacker to obtain a DV-certificate, more trustworthy certificates should make that *a lot* harder.<br>}</p><p>🟡 {1} WHAT IS A DECENT WEBPKI<br>A *decent* WebPKI means that:</p><p>1️⃣ We must get rid of the current (effectively Google owned) CA/B forum, simply because server certificates exist primarily in the interest of *internet users* (not even represented in the CA/B forum) instead of it's current members: *commercial* cloud providers, browser makers, CA's (Certificate Authorities) and/or CSP's (Certificate Service Providers).</p><p>2️⃣ The world needs a new, independent, organization that supervises requirements of certificates, CA's and CSP's, as well as all requirements for (web) browsers related to certificates. For easy referencing I'll call it the WPKIF (Web Public Key Infrastructure Forum) in this toot. It is essential that internet users are strongly represented in the WPKIF. The WPKIF must be repeatedly audited by independent auditors (based on clear predefined requirements and/or controls).</p><p>3️⃣ Each *critical* server {6} *must* use a server certificate that, more or less reliably, uniquely defines the person, people or organization responsible for the server(s) (and content, security etc.) referenced by the server's domain name(s) included in the certificate.</p><p>4️⃣ The layout of server certificates needs an update to better serve internet users. Most of those users are *not* interested in technical details such as long serial numbers or hexadecimal public key values (such data must remain accessible for experienced users). So some sort of split between technical and *human readable" (not "CN=") information must be made.</p><p>5️⃣ Each server certificate must also contain a standardized indicator that reveals the *minimum* reliability of the authentication of the person, people or organization responsible for all domain names, and all servers referenced by all domain names (included in the certificate). In short: how certain is it that the owner of a website is who they claim to be.</p><p>6️⃣ Each server certificate must also contain a reference to a WPKIF website with a standardized indicator that reveals the *reliability* of the least reliable link in the chain starting at the applicable CA and ending with the CSP (including both ends plus intermediate certificates and their owners). In short: how reliable is the information in the certificate, as determined by the WPKIF.</p><p>7️⃣ The WPKIF must immediately and objectively take action against any CA, intermediate or CSP that violates the rules and requirements as defined by the WPKIF. Such by decreasing their reliability rating upto canceling their right to issue certificates.</p><p>🟡 {2} Web browsers (and perhaps other clients) must make it a lot easier for users to determine who is responsible for a server or website. IMO, at the very least when an internet user visits a website with a specific domain name *for the first time* (using that browser), *OR* when the server sends a new certificate, the browser should first show full details of the owner of the domain name *before* fetching any content - and let the user decide whether they want to continue and open the website. (Note: I've not given it enough thought how to handle third party websites - where CSS, JavaScript, images and/or analytics stuff is downloaded from).</p><p>🟡 {3} Internet users need to be educated about the importance of knowing who owns a domain name (and thus server and/or website). Browsers must play a role by offering tutorials. Current "awareness trainings" are simply insufficient (as notably Google found out, see <a href="https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.googleblog.com/2024/0</span><span class="invisible">5/on-fire-drills-and-phishing-tests.html</span></a> - more info, in Dutch: <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113045136092456532</span></a>).</p><p>🟡 {4} RPKI vs WebPKI<br>Increasingly cybercriminals succeed into hijacking cryptocurrency websites, and they may do so by hijacking BGP and subsequently acquiring a DV certificate for their fake server (examples can be found here: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914050216821746</span></a>). However, BGP hijack attacks are not easy to accomplish and often detected soon. In particular it will be hard for the attackers to obtain *trustworthy* server certificates. </p><p>🟡 {5} AitM = Attacker in the Middle. A server in a hosting center may be AitM'ed in the same center without touching the actual server itself and without requiring DNS- or BGP hijacks (because the AitM and the real server are both comnected to an internal network), as for example happened to "jabber.ru" in a German hosting center (see <a href="https://therecord.media/jabber-ru-alleged-government-wiretap-expired-tls-certificate" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/jabber-ru-alle</span><span class="invisible">ged-government-wiretap-expired-tls-certificate</span></a>, full details in <a href="https://notes.valdikss.org.ru/jabber.ru-mitm/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">notes.valdikss.org.ru/jabber.r</span><span class="invisible">u-mitm/</span></a>).</p><p>🟡 {6} A critical server is one whose *authenticity* and/or *indistinguishability from fake sites* are important upto (thtough) essential for internet users. I don't care if a home NAS uses a DV-cert, but banks, goverments (in particular those that do *not* use a specific domain name ending, such as .gov), insurances, websites showing and/or receiving medical/patient data etc. - any server related to PII or needs to otherwise prove their identity.</p><p>🟡 MORE INFORMATION<br>🔸 Let's Encrypt certificates mis-issuances & ocsp ending: <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a></p><p>🔸 Untrustworthy HSTS and lack of "https only" in many browsers: <a href="https://infosec.exchange/@ErikvanStraten/113045241408077702" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113045241408077702</span></a></p><p>🔸 Why awareness trainings fail (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113045136092456532" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113045136092456532</span></a></p><p>🔸 Why the physical location of an offline service provider (like a bank office or a town hall) is a hugely underestimated authentication factor (in Dutch): <a href="https://security.nl/posting/855557" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/855557</span><span class="invisible"></span></a></p><p>🔸 Why Google lied when they killed EV certs, and why it's insane to introduce digital identity wallets (eID's) for strong online authentication of people on the current, highly crminalized, internet, with more anonymous servers every day (in Dutch): <a href="https://infosec.exchange/@ErikvanStraten/113031344934186250" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113031344934186250</span></a></p><p>🔸 How Google became evil by facilitating cybercrime, renting them hosting services for domain names such as NNoutlook.com, NNNNoutlook.com and ecbeuropa[.]eu, even providing them with server certificates for free: <a href="https://www.virustotal.com/gui/ip-address/35.241.18.84/relations" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">35.241.18.84/relations</span></a></p><p>Internet reliability needs to be restored, and further improved upon, ASAP.</p><p><a href="https://infosec.exchange/tags/RPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RPKI</span></a> <a href="https://infosec.exchange/tags/PKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PKI</span></a> <a href="https://infosec.exchange/tags/WebPKI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebPKI</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/BGP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BGP</span></a> <a href="https://infosec.exchange/tags/BGPHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BGPHijack</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DNSHijack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNSHijack</span></a> <a href="https://infosec.exchange/tags/Websites" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Websites</span></a> <a href="https://infosec.exchange/tags/Real" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Real</span></a> <a href="https://infosec.exchange/tags/Fake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fake</span></a> <a href="https://infosec.exchange/tags/Authentic" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentic</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Impostors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impostors</span></a> <a href="https://infosec.exchange/tags/CABForum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CABForum</span></a> <a href="https://infosec.exchange/tags/Commercialization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Commercialization</span></a> <a href="https://infosec.exchange/tags/Independant" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Independant</span></a> <a href="https://infosec.exchange/tags/UserRepresentatives" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UserRepresentatives</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/OV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OV</span></a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EV</span></a> <a href="https://infosec.exchange/tags/QWAC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QWAC</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/eIDAS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eIDAS</span></a> <a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WebAuthn</span></a> <a href="https://infosec.exchange/tags/FIDO2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FIDO2</span></a> <a href="https://infosec.exchange/tags/Yubikey" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubikey</span></a> <a href="https://infosec.exchange/tags/Yubico" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Yubico</span></a> <a href="https://infosec.exchange/tags/Titan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Titan</span></a> <a href="https://infosec.exchange/tags/GoogleTitan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GoogleTitan</span></a> <a href="https://infosec.exchange/tags/Feitian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Feitian</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload