GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    bert hubert 🇺🇦🇪🇺 (bert_hubert@fosstodon.org)'s status on Friday, 24-Jan-2025 02:23:19 JST bert hubert 🇺🇦🇪🇺 bert hubert 🇺🇦🇪🇺

    Yesterday a user told me they couldn't log in to my parliamentary monitoring site. On investigating, I found that Microsoft email security was logging in on behalf of my user by executing a POST. This broke the single-use sign-on link. Executing POSTs is usually considered unacceptable, and in this way Microsoft again transgresses an important norm. Here's how to deal with the specific POST problem & what might be done about these transgressions in general:
    https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/

    In conversation about a month ago from fosstodon.org permalink

    Attachments

    1. Domain not in remote thumbnail source whitelist: berthub.eu
      Shifting Cyber Norms: Microsoft security POST-ing to you - Bert Hubert's writings
      tl;dr: Microsoft and other email security scanners will visit the links in email you transmit, and run the JavaScript in those links, including calls that lead to POSTs going out. This used to be unacceptable, since POSTs have side effects. Yet here we are. This breaks even somewhat sophisticated single-use sign-on / email confirmation messages. Read on for how to deal with this, and some thoughts on how we should treat gatekeepers like Microsoft that can randomly break things & get away with it.
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Saturday, 25-Jan-2025 16:59:59 JST Rich Felker Rich Felker
      in reply to

      @bert_hubert You're nowhere near harsh enough on the "changing norms" that are direct violations of consent and entirely one-sided, not agreed upon by parties on both sides.

      In conversation about a month ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Saturday, 25-Jan-2025 17:01:24 JST Rich Felker Rich Felker
      in reply to

      @bert_hubert In your specific example here, Microsoft should be criminally prosecuted in US under CFAA, for using someone else's credentials to log in without authorization.

      In conversation about a month ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.