Comment by R.. GitHub STOP HELPING ICE on Can my ISP censor my internet?
@Gruber: If the user's PC is completely compromised (by having installed backdoor software provided by a malicious party like an ISP wanting to do nefarious things), Tor and/or Tor Browser are running...
View ArticleComment by R.. GitHub STOP HELPING ICE on Erased encrypted HDD, then secure...
What does "encrypted" mean in the context of your question?
View ArticleComment by R.. GitHub STOP HELPING ICE on How many qubits are needed to...
@SamGinrich: Measurement errors growing exponentially has always been an obvious property to me from a naive standpoint, short of any magical way around that. And I say magical because the QC folks who...
View ArticleComment by R.. GitHub STOP HELPING ICE on Is a responsible disclosure for...
@ruakh: It takes confidence/arrogance? No, just experience/knowledge of history.
View ArticleComment by R.. GitHub STOP HELPING ICE on Do subdomains of a TLD with...
Wildcard certs are not expensive. You can get them for free, just like any certificate, from Lets Encrypt. You just have to use DNS-01 rather than HTTP-01 because the latter inherently cannot prove...
View ArticleComment by R.. GitHub STOP HELPING ICE on How is Xiaomi changing my browser...
The only reasonable way to use a Xiaomi phone is with third-party OS ("ROM") like LineageOS (not great itself, poorly managed, but at least not malware) that doesn't have the vendor backdoors on it....
View ArticleComment by R.. GitHub STOP HELPING ICE on How to best obfuscate a built-in...
+1 for "quit now before the lawyers find you". An employer asking you to do this is probably breaking the law (and asking you to do so too).
View ArticleComment by R.. GitHub STOP HELPING ICE on What's wrong with the use of a WAF...
Even if you're not relying on it as security, a WAF is a huge additional risk. It's a MITM that has access to all traffic, all access tokens, credentials, etc. and that's implemented by folks with very...
View ArticleComment by R.. GitHub STOP HELPING ICE on Did a Huawei modem just try to do a...
While the intent is not malicious, this is bad design and irresponsible of Huawei, and you should not attempt to click through the bad cert to accept it. If you do, your connection to the site is...
View ArticleComment by R.. GitHub STOP HELPING ICE on Can a powerful adversary trick ACME...
The CAA record can also mandate use of DNS-01 (disallowing HTTP-01) ACME method, at least if LE has enabled that in production yet. Combined with DNSSEC, this makes it cryptographically impossible for...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Does code obfuscation give any...
It increases the likelihood that, when the exploitable bugs in your software are found and exploited, it will be by highly motivated and likely well-funded attackers who specifically want to target you...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Is 2FA via mobile phone still a...
SMS 2FA is not only a bad idea; it's worse than not having 2FA at all (password only). This is because virtually all services offering "SMS 2FA" are actually delivering SMS 1FA! That is, they allow...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Log user out after change of IP...
Hard no.Security considerations aside (which this practice does not really help), restricting a session to an IP address utterly breaks access for users of some ISPs, especially mobile, who cycle IP...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Should a bank/financial service use...
No. Nobody should. They are not under your control, and can be redirected at another party's discretion. They can also be used to compromise the recipient's/your customer's privacy. There is no...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for How can we exchange public keys...
One alternative for key distribution is DNS: keys, or rather key fingerprints, published in DNS records, protected by DNSSEC. Two standard examples of this are SSHFP (for SSH host keys) and DANE (for...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for What is the use case for using TLS...
The only use case i can think of is if you have untrusted users on the network...This, but the problem is that you have untrusted users who you don't even know are users on the devices on network. This...
View ArticleWhat portion of recursive (ISP, public, etc.) nameservers validate DNSSEC...
I'm adopting/setting up DNSSEC on my domains for the first time, and curious about the practical benefits I can expect. In theory, regardless of whether client/stub resolvers want checking, recursive...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Is starting an AWS instance with...
Assuming you configure it correctly, not only is it not "significantly insecure"; it's not vulnerable at all short of worldwide-catastrophy-level vulns that are not expected to exist. Seriously, AWS...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for How can we eliminate passwords...
Passwords do need to be eliminated, but all the ideas you've cited as replacements are wrong. Passwords are not expensive to change. But they are prone to weak choices, compromise via reuse, and (most...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Emergency method to erase all data...
The framing of this question is just completely wrong, and I'd go so far as to suggest the question doesn't belong on Security SE but Worldbuilding SE if you're trying to make up a world where it does...
View Article