Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/sophieschmieg/statuses/113839245941174404">Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Friday, 17-Jan-2025 02:50:05 JST</a><a href="https://infosec.exchange/@sophieschmieg" title="sophieschmieg@infosec.exchange"><img src="https://gnusocial.jp/avatar/41310-48-20241001225805.webp" width="48" height="48" alt="Sophie Schmieg" style="position: absolute; left: 0; top: 0;">Sophie Schmieg</a><div><a href="https://hachyderm.io/@inthehands/113839155395823770" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/317185" title="august@macaw.social">August</a></li></ul></div></section><article><p><a href="https://hachyderm.io/@inthehands">@inthehands</a> <a href="https://macaw.social/@august">@august</a> don't forget that in the case of using a web interface, you have no guarantees that the JavaScript sent to you is the same JavaScript that was sent to someone else, or even the same that was sent to you yesterday. So if you want to target an individual, you can just ship a special version of the code that includes a line saying "and now send the private key unencrypted to the NSA", and you're unlikely to ever notice. </p><p>With downloaded apps such as signal (even signal desktop), this attack is far more difficult to pull off (but not mitigated fully if you want updates regularly)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4386297#notice-8580838">In conversation</a><time datetime="2025-01-17T02:50:05+09:00" title="Friday, 17-Jan-2025 02:50:05 JST">about 14 days ago</time> <span>from <span><a href="https://infosec.exchange/@sophieschmieg/113839245941174404" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@sophieschmieg/113839245941174404">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Friday, 17-Jan-2025 02:50:05 JSTSophie Schmieg
in reply to
- Paul Cantrell
- August
@inthehands @august don't forget that in the case of using a web interface, you have no guarantees that the JavaScript sent to you is the same JavaScript that was sent to someone else, or even the same that was sent to you yesterday. So if you want to target an individual, you can just ship a special version of the code that includes a line saying "and now send the private key unencrypted to the NSA", and you're unlikely to ever notice.
With downloaded apps such as signal (even signal desktop), this attack is far more difficult to pull off (but not mitigated fully if you want updates regularly)
In conversationabout 14 days ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice