Comment by R.. GitHub STOP HELPING ICE on Can trusted timestamping be faked...
@chepner: Thermodynamics also doesn't preclude all of the oxygen molecules in the room deciding to hang out in a corner causing you to die, but it's not going to happen.
View ArticleComment by R.. GitHub STOP HELPING ICE on What's wrong with my app...
Tokens should have unlimited lifetime, but should not be sufficient for performing sensitive/destructive actions like deleting account or changing credentials. Forcing a user to enter their password...
View ArticleComment by R.. GitHub STOP HELPING ICE on Is my encryption format secure?
Cryptographic agility is largely seen as a weakness nowadays, in that a party can be tricked into using a cipher or higher level construct with known weaknesses by an attacker. So lack of agility is...
View ArticleComment by R.. GitHub STOP HELPING ICE on What prevents applications from...
This is not the only way. Just using separate privilege domains on the same computer & operating system is also completely valid.
View ArticleComment by R.. GitHub STOP HELPING ICE on What prevents applications from...
This is true - and IMO is the best solution because it does not give up on general purpose computing and user autonomy and possession of their own keys - but in order for it to really have this...
View ArticleComment by R.. GitHub STOP HELPING ICE on My school wants me to download an...
There absolutely does not need to be any further intent to do something nefarious with the information intercepted for it to be malicious. Just the act of undermining privacy of the communication is in...
View ArticleComment by R.. GitHub STOP HELPING ICE on What is the best way to protect...
Like all viruses: by not executing them in privilege domains where they can do harm.
View ArticleAnswer by R.. GitHub STOP HELPING ICE for What prevents a browser from saving...
Nothing does, and this is why you need an extremely high degree of trust in your browser as well as any other system components (operating system, input methods, etc.) that have access to your inputs...
View ArticleComment by R.. GitHub STOP HELPING ICE on Is using `crypt` in PostgreSQL for...
The = operator is not constant-time, but I don't see any reason that's relevant in this context. Assuming the attacker does not have access to the salt, knowing how many bytes of the computed hash...
View ArticleAnswer by R.. GitHub STOP HELPING ICE for Keyboard isolation in Android
Android's permission system supposedly gives you the power to sandbox a keyboard application so that it cannot exfiltrate data, but the Android UI does not give you access to the full permissions...
View Article