Closing the open redirect vulnerability in the Libravatar ecosystem
I found an open redirect vulnerability in the Libravatar specification. An open-source avatar hosting API could be abused to redirect to untrusted websites.
Security
Security issues, thoughts about IT security, and measures you can take to protect your devices.
Patch origin trust vs GitHub’s URL hierarchy
Opening a pull request is all it takes to get a GitHub patch URL that’s indistinguishable from patches/commits that are a part of an open-source GitHub project.
Your clipboard is only as secure as your device
A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems.
Superfeedr sends logins in plain-text (a HSTS case study)
Superfeedr tried securing its website with HTTPS and HSTS, but failed to apply it correctly. User emails and credentials are sent in plain-text on the first login.
The entirely predictable problems with the Vulnonym naming scheme
An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.
TeamViewer RPM repo left door open for malicious packages
A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.
Google Authenticator enables device-transfers, but no export options
Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.
How to back up your password manager
Plan for the day your password manager stops working. Even if it’s a cloud service! Backing up your password manager is harder that it sounds.
Limit the impact of a security intrusion with systemd directives
OpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives.
Email politics, security, and why you got an empty newsletter
Feb 2020 was full of email vows, both in the larger world and for the Ctrl blog newsletter. What happened and why you got an empty blog newsletter this week.
systemd service sandboxing and security hardening 101
The systemd-analyze security command gives your systemd service units an automated security rating. This is a good starting point for security hardening.
Firefox contained in Flatpak vs Snap comparison
A comparison of features, security, performance, and limitations of Firefox browser running in isolated sandboxes provided by Flatpak vs. Snap.
Mitigate “tabnabbing” without breaking window.open() features
Windows opened from your website can redirect the opening tab to a new destination. Mitigations break window.open() functionality like sizing and positioning.
How to switch firewalls from FirewallD to UFW
A quick tutorial for migrating from FirewallD and getting started with the Uncomplicated Firewall (UFW.) Both are front ends for Linux’s iptables firewall.
Why my 7-year old Windows 10 laptop became unbearably slow
My aging PC’s processor didn’t support a new Windows 10 security feature, enabled by default, causing it to become slow and unstable.
Feitian MultiPass recall highlights need to use multiple security keys
The recall of the Feitian MultiPass FIDO security key demonstrates why you always should use multiple security key products from different vendors.
How quickly do Firefox derived browsers receive security updates
A case study in how timely Firefox derived web browsers (Waterfox, Cliqz, Pale Moon, and Tor) ship critical security updates.
What’s with the tech media’s obsession with VPN services
VPN providers are good advertisers and also pay good money to make even [formerly] reputable tech media websites “recommend” their services.
ProtonMail vs Mailbox.org comparison
Comparison review of the two secure PGP-oriented email providers ProtonMail vs Mailbox.org. A huge price discrepancy for the same service.
6 places to report phishing emails and websites
Here are 6 services you can report malware websites and phishing emails to help make the internet a safer place for everyone.