Conversation

Notices

Embed this notice
Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:17:44 JST Soren Stoutner

“There’s no surefire way to detect either malicious Google ads or punycode-encoded URLs. Posting https://ķeepass.info into all five major browsers leads to the imposter site.”
Ah, yes. But, using Privacy Browser Android, the true punycode URL of https://xn--eepass-vbb.info/ is revealed.
https://arstechnica.com/security/2023/10/google-hosted-malvertising-leads-to-fake-keepass-site-that-looks-genuine/
In conversation Friday, 20-Oct-2023 05:17:44 JST from fosstodon.org permalink
Attachments
1. Untitled attachment
  https://cdn.fosstodon.org/media_attachments/files/111/263/489/046/564/096/original/08814a3098dd4ec2.png
2. Untitled attachment
3. No result found on File_thumbnail lookup.
  
  Suspected phishing site | Cloudflare
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 05:17:43 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser Same for anything using WebkitGTK correctly.
  
  In conversation Friday, 20-Oct-2023 05:17:43 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:27:09 JST Soren Stoutner
  in reply to
  
  That's a feature that should be coming to Privacy Browser PC soon.
  https://redmine.stoutner.com/issues/1108
  
  In conversation Friday, 20-Oct-2023 05:27:09 JST permalink
  
  Haelwenn /элвэн/ :triskell: repeated this.
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:27:09 JST Soren Stoutner
  in reply to
  
  A reminder that browsers should never try to simplify or hide the URL from the user.
  
  In conversation Friday, 20-Oct-2023 05:27:09 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 05:31:42 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser It isn't about the rendering part of WebKitGTK, it's about the API: https://webkitgtk.org/reference/webkit2gtk/stable/func.uri_for_display.html
  In conversation Friday, 20-Oct-2023 05:31:42 JST permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    WebKit2.uri_for_display
    
    Reference for WebKit2.uri_for_display
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:31:43 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan I think it has a lot more to do with the GUI code than the rendering engine code. In my testing, Chrome and Firefox for Android do not display the correct URL. Lightning behaves correctly the same as Privacy Browser Android. FOSS Browser and Fulguris (a fork of Lightning) change the URL, but they cover it up with the website title, so you can't see it unless you tap to edit it.
  
  In conversation Friday, 20-Oct-2023 05:31:43 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:42:51 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan “This function provides protection against IDN homograph attacks, so **in some cases** the host part of the returned URI may be in Punycode if the safety check fails.”
  Do you know which are the cases where it displays the punycode and which are the cases where it doesn’t?
  
  In conversation Friday, 20-Oct-2023 05:42:51 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 05:42:51 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser Been a while since I checked the source code of it but if I remember correctly: It displays human-readable punycode/percent-encoded characters, unless there is known homographic characters (which are probably identified via ICU).
  
  It's not great (like an hostname entirely in greek/cyrillic ought to be human-readable), but I would say it's safe enough.
  
  The only real way to be safe anyway is by using bookmarks and an integration of password managers which matches on the hostname (because you don't always remember the exact spellings of websites).
  
  While I'm at it: Consider using a font like monospace for URLs.
  
  In conversation Friday, 20-Oct-2023 05:42:51 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 05:54:29 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan I have to disagree with you on the password manager. Everyone should use an offline password manager that does not sync to some cloud service, but for security and privacy reasons, nobody should use a password manager that integrates with their web browser.
  You never want something that is processing untrusted data inputs (a web browser) having any connection path to the data store that holds your passwords.
  
  In conversation Friday, 20-Oct-2023 05:54:29 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 05:54:29 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser integrated ≠ embedded/bundled
  
  Putting it roughly, integration is when you have different software capable of depending on each others.
  
  In conversation Friday, 20-Oct-2023 05:54:29 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:02:29 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser How?
  Because the only real way of being sure the hostname matches is to be able to check for a match.
  
  I don't mean a requirement on auto-filling information by the way, those ought to not exist due to things like JavaScript and hidden forms.
  
  In conversation Friday, 20-Oct-2023 06:02:29 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:02:30 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan That is a good distinction, but even integrated is too much of a security compromise for me to be able to recommend it to anyone.
  
  In conversation Friday, 20-Oct-2023 06:02:30 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:03:14 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser You're 100% missing the point here, I don't use cloud shit nor would advertise for it.
  
  In conversation Friday, 20-Oct-2023 06:03:14 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:03:15 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan Secure passwords look like this:
  1. Length is far more important for entropy than characters that are hard to remember or type. Think https://xkcd.com/936/
  2. Choose passwords that are unique and that you can easily remember. For example, if you think Microsoft or Google or Apple is the great evil, then your password for that site might be the following, including the spaces and punctuation.
  Google is the great evil.
  In conversation Friday, 20-Oct-2023 06:03:15 JST permalink
  Attachments
  1. Untitled attachment
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:07:46 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser
  > If you use the site frequently, you will not need to reference the password manager frequently.
  
  You're joking here, right? That's based on keeping things like cookies/object-storage/… all the time, aka tracking.
  While depending on a password manager instead means you actively control what is stored on your machine.
  
  In conversation Friday, 20-Oct-2023 06:07:46 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:07:47 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan
  3. Put that password in your password manager. If you use the site frequently, you will not need to reference the password manager frequently. But, if for some reason you forget, you can open the password manager and remind yourself.
  4. Because you can type this password easily, you don't need to use copy/paste (which can be compromised) or an integration with the browser (which can be compromised) to input it. You can just type it.
  
  In conversation Friday, 20-Oct-2023 06:07:47 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:16:51 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser You should always avoid typing a password or other sensitive data into an URL you typed yourself: https://en.wikipedia.org/wiki/Typosquatting
  In conversation Friday, 20-Oct-2023 06:16:51 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: login.wikimedia.org
    
    Typosquatting
    
    Typosquatting, also called URL hijacking, a sting site, a cousin domain, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter). The typosquatter's URL will usually be one of five kinds, all similar to the victim site address: A common misspelling, or foreign language spelling, of the intended site A misspelling based on a typographical error A plural of a singular domain name A different top-level domain: (e.g. .com instead of .org) An abuse of the Country Code Top-Level Domain (ccTLD) (.cm, .co, or .om instead of .com)Similar abuses: Combosquatting - no misspelling, but appending an arbitrary word that appears legitimate, but that anyone could register. Doppelganger domain - omitting a period or inserting an extra period Appending terms such as sucks or -...
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:16:52 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan If you are typing a password into a website, it better be because you typed the URL or loaded it from your own bookmark.
  If you go back to the original article, it was about someone downloading a compromised version of KeePass from an invalid website (ironic in the context of a discussion of password managers). KeePass is what I use myself, but I don't tend to find their website through a Google ad before initiating the download.
  
  In conversation Friday, 20-Oct-2023 06:16:52 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:26:27 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan 😂 We are just going to have to agree to disagree. Personally, any programmatic integration of a password manager into the web browser is a much more likely vector of attack and one that I am unable to recommend to anyone.
  
  In conversation Friday, 20-Oct-2023 06:26:27 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:26:27 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser Fine.
  
  Would just say there's one that's a widespread vector of attack (typosquatting) which has been effective and used for decades, and not really fixable unless you're using other methods.
  Meanwhile password manager integration is rarely if ever something that gets compromised (specially given good password managers where you need user interaction and/or explicit consent for querying data).
  
  In conversation Friday, 20-Oct-2023 06:26:27 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:30:57 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser For this particular case you're giving a *new* password (right?), not an existing one, so you're not leaking anything.
  
  In conversation Friday, 20-Oct-2023 06:30:57 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:30:58 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan How exactly would you recommend going to a new website, creating an account, and typing in the password without some version of typing the URL for the website where you want to create an account? I fail to see how any password manager is going to do this for you.
  
  In conversation Friday, 20-Oct-2023 06:30:58 JST permalink
- Embed this notice
  Soren Stoutner (privacybrowser@fosstodon.org)'s status on Friday, 20-Oct-2023 06:33:58 JST Soren Stoutner
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan So, use bookmarks to access sites where you already have accounts and type the URL yourself for new sites where you want to create accounts. None of that needs password manager integration and all the potential security and privacy pitfalls that entails.
  
  In conversation Friday, 20-Oct-2023 06:33:58 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 20-Oct-2023 06:33:58 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @privacybrowser Sadly you can't always use bookmarks, for example email verification links.
  
  In conversation Friday, 20-Oct-2023 06:33:58 JST permalink

Public

Conversation

Notices

Feeds