Comment by Danya02 on Man in the middle Attack, possible even with CA...
For an example of how CAs try to defend against attacks mentioned here, Let's Encrypt now queries your server from multiple geographically-distributed locations before they will give you a certificate.
View ArticleComment by Danya02 on allow same code twice google authenticator
What do you mean by "the app considers a code valid"? The Google Authenticator app (probably others too) only shows a single code and a countdown timer, and when the timer reaches zero the code changes.
View ArticleComment by Danya02 on Security of 2FA codes in-transit
Could some kind of JS obfuscation potentially help against a passive MITM? In that case, the attacker could see the obfuscated OTPs but not use them themselves. Passive MITM could be more common, and...
View ArticleComment by Danya02 on Security of using Yubikey to derive Diceware password?
@brynk Yes, that's correct. Because of this, it seems that p is just like a compressed version of the password. I did try using p to seed a CSPRNG and then use the output of that to compile the...
View ArticleComment by Danya02 on Is using the computer for MFA safe?
Useful note: the reason that TOTP 2FA is usually done on smartphones (Google Authenticator etc.) is in part because the Android and iOS security model makes it difficult to access an app's private data...
View ArticleComment by Danya02 on Filter arbitrary code for blacklisted keywords except...
Since it's a Rust app, you could use Rhai, a natively-Rust embedded language that has Rust-ish syntax with Python-ish semantics. You can export the precise functions you'd like to provide to the user...
View ArticleComment by Danya02 on Creating bootable USB from a compromised OS. Is it safe?
@Jim That's mostly up for you to pick -- it is basically something that the theoretical replacement exploit wouldn't think to include, or wouldn't have the ability to. If I were doing it, I'd go on...
View ArticleComment by Danya02 on Is it possible to sign Git commits on a different...
Good idea, but unfortunately it doesn't work for my usecase: the people I'm working for don't trust me with their code except on their PC, and I don't trust their PC.
View ArticleAnswer by Danya02 for What makes one random strong password more resistant to...
That depends on the brute force script. If (to use your example) we start cracking from 001 through 999, then 999 is the best option, but it's also the worst option if we start from 999 backward....
View ArticleAnswer by Danya02 for What if a browser does not honor the "expires"...
There are two ways to check whether Flask does indeed do this:You can take a look at the source code to see that they're using URLSafeTimedSerializer for forming the signed item, and TimedSerializer...
View ArticleAnswer by Danya02 for Bypass network security filters with CDN
It seems that your example is more complicated than it needs to be.For a more concrete example, GitHub Pages (*.github.io) allows domain fronting.Let's say that there is a site evil.github.io that is...
View ArticleCan you sign a TLS root certificate that already exists? [duplicate]
Alice and Bob have TLS certificate authorities. My device trusts Alice's CA, and connects to servers that present a certificate rooted at Alice's CA. It does not explicitly trust Bob's CA, or the...
View ArticlePGP "real" encryption with private key
When explaining the concept of signing a message, often it is presented as "encrypting with your private key", so that somebody who has the public key can "decrypt" the signature and verify it....
View ArticleAnswer by Danya02 for luks increase delays between password attempts
It's not a good idea to conceptualize this as a "password delay". A delay is typically added artificially by a program: for example, when iPhones prevent you from typing your password for a while,...
View ArticleIs it possible to sign Git commits on a different computer?
I'm doing some development work on an untrusted computer. I'd like to sign my commits I make from it, but I don't want my personal PGP key to touch this computer. Or maybe I'm using a PGP smart card...
View ArticleClik here to view.
Answer by Danya02 for Is it possible to sign Git commits on a different...
An option that seems the closest in spirit to what I want is to set up a gpg-agent program that would delegate the actual cryptography to a human.When you use GPG to sign things, it talks to the...
View Article
