GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Sunday, 19-Jan-2025 23:09:50 JST Jan Wildeboer 😷:krulorange: Jan Wildeboer 😷:krulorange:
    • Ricky Mondello

    @rmondello First: collect some facts.

    - Does dns work? simply ping your hostname from am machine that is tethered to your mobile device and see if it gets the correct IP address back
    - Try a trace to see if it is a connectivity problem and where the problem starts (not perfectly reliable, but helps a lot) tracert IP-ADDRESS
    - Make sure there are no other firewalls or "security" software packages involved on either your machine or the mobile device

    With that you should know more.

    In conversation about 4 months ago from social.wildeboer.net permalink
    • Embed this notice
      Erik van Straten (erikvanstraten@infosec.exchange)'s status on Monday, 20-Jan-2025 01:38:10 JST Erik van Straten Erik van Straten
      in reply to
      • Ricky Mondello

      In a post that disappeared, @jwildeboer wrote:

      "@rmondello I do note that when I open mondello.com in my browser, I get a placeholder page that is http only, no https. This would be a reason that it *seems* that it is unreachable, because many browsers nowadays refuse to open sites without https."

      Unfortunately, that is *not* true. Browsers unnecessarily make the internet LESS SAFE. IT'S CRAZY!

      *Some* browsers will try https first when you type http:⧸⧸mondello.com (use // instead of ⧸⧸ I used to prevent Mastodon from showing http://). So far, so good.

      However, if an AitM (Attacker in the Middle, such as on public WiFi) blocks traffic from your browser to TCP port 443 (https) on the server, the browser will *silently* try port 80 (http). Pwned.

      This may happen in practice, for example on airports (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/).

      Except for iOS and iPadOS, most browsers have an "https only" setting that is *OFF* by default, while it's name is misleading.

      *On* means that you can still use http, but you'll have to manually agree (you can still access the http devices on your local network, or on the internet. But you will be WARNED).

      However, Chrome appears to remember exceptions FOR EVER (I had to delete all browser data to make the last screenshot below. However, that also clears the browser's HSTS database).

      On iOS/iPadOS, from Safari, Edge, Firefox and Chrome, only Chrome has this option. So only Chrome provides *some* protection. People do not type "https://" in front of domain names, and most QR-codes I check are insecure.

      To test: open http://http.badssl.com. Instead of immediately seeing a (red) webpage, your browser should protect you by asking whether you want to use an http-connection.

      Alternative test-site (non-compliant with the Dutch law):
      http://gemeente.amsterdam
      (Gemeente translates to municipality).

      (Exactly that is why I wrote this, in Dutch: https://infosec.exchange/@ErikvanStraten/113855174617111536 earlier this afternoon).

      Note: Firefox on Android seems to forget "http allowed" exceptions when the browser is fully closed (good).

      @rmondello

      #httpsOnly #HSTS #httpsvshttp #iOS #iPadOS #Safari #Firefox #Edge #Chrome #Insecure #Infosec

      In conversation about 4 months ago permalink

      Attachments


      1. No result found on File_thumbnail lookup.
        mondello.com

      2. https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/315/182/original/837ea779109906b2.jpg

      3. https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/798/495/original/515113ab6ce8c6a7.jpg

      4. https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/482/813/167/original/0b560a18ed608aae.jpg

      5. https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/855/673/486/148/568/original/db63127ebeb1c192.jpg


      6. No result found on File_thumbnail lookup.
        http.badssl.com
      7. Domain not in remote thumbnail source whitelist: media.infosec.exchange
        Erik van Straten (@ErikvanStraten@infosec.exchange)
        from Erik van Straten
        Attached: 2 images #NOS: http -> https: *ÉÉN* lettertje! Om te beginnen: ik stel het op prijs dat op het NOS journaal van 12:00 en 13:05 éérst een Palestijnse meneer aan het woord werd gelaten! (Daarna een Joodse Janker over de vrij te laten gijzelaars en "terroristen": vanochtend wéér tientallen Gazanen gewond of gedood door de Israeli Destruction Forces, en ook nog geen namenlijst van de door *Israël* vrij te laten, middels "administratieve detentie" in martelmortuaria, gegelijzelde Palestijnen - waaronder kinderen, vrouwen, artsen en journalisten). On topic: kap met http links! Opmerkingen: • De (open) broncode en instructies voor de "App" in het tweede plaatje vind u in https://www.security.nl/posting/829026/iOS+QR-scanner%3A+DHZ%21. Nb. u hoeft er geen app voor te installeren! Zo'n "opdracht" kan in principe iedereen (met een iDevice) zelf (wel met veel geduld) in elkaar knutselen. • Als je op een iPhone of iPad een andere dan Safari als voorkeurbrowser hebt ingesteld, ziet u niet welke informatie (zoals een URL) er in een QR-code verstopt zit. Vooral dan is zo'n QR-code lezer erg handig (maar http->https is ook verstandig, vooral als u van public WiFi gebruik maakt). • Als u Chrome gebruikt op uw iDevice, ga dan in Chrome naar "Instellingen" > "Privacy en Beveiliging" en zet "Altijd beveiligde verbindingen gebruiken" AAN. Dit werkt niet feilloos maar meestal wel. Chrome zet dan zelf http altijd om in https, en als een vetbinding dan niet lukt, vraagt Chrome u of u http wilt proberen. Meer info in https://www.security.nl/posting/803597/werk_nl%3A+geen+https en in "Veilig inloggen": https://www.security.nl/posting/840236/Veilig+inloggen. • Onder Android en Windows ondersteunen meer browsers "https only" - een misleidend begrip, want http kan gewoon - alleen moet u daar zelf eerst (handmatig) toestemming voor verlenen. #NOS #httpsvshttp #QR #QRcode
    • Embed this notice
      Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Monday, 20-Jan-2025 01:38:10 JST Jan Wildeboer 😷:krulorange: Jan Wildeboer 😷:krulorange:
      in reply to
      • Ricky Mondello
      • Erik van Straten

      @ErikvanStraten @rmondello The reason I deleted it is that I used the wrong domain name. mondello.com where it should have been rmondelo
      lo.com. You saving copy paste from toots I deleted is a bit creepy, TBH.

      In conversation about 4 months ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        mondello.com

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.