t42 IoT Solutions<p>After a year of POC, a leading <a href="https://mas.to/tags/pharmaceutical" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pharmaceutical</span></a> company has selected Lokies smart <a href="https://mas.to/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a> as their go-to solution for multiple applications. The first units have been delivered - and the feedback is outstanding!</p><p><a href="https://mas.to/tags/smartlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>smartlock</span></a> <a href="https://mas.to/tags/iot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iot</span></a> <a href="https://mas.to/tags/pharma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pharma</span></a> <a href="https://mas.to/tags/innovation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>innovation</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
9.9Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#padlock
0 posts · 0 participants · 0 posts today
Brent SleeperOpen pipe (padlocks).<br>
<br>
<a href="https://pixelfed.social/discover/tags/Industrial?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Industrial</a> <a href="https://pixelfed.social/discover/tags/Utilities?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Utilities</a> <a href="https://pixelfed.social/discover/tags/Padlock?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Padlock</a> <a href="https://pixelfed.social/discover/tags/Color?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Color</a> <a href="https://pixelfed.social/discover/tags/Red?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Red</a> <a href="https://pixelfed.social/discover/tags/Green?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Green</a> <a href="https://pixelfed.social/discover/tags/Gray?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Gray</a> <a href="https://pixelfed.social/discover/tags/SFSU?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#SFSU</a> <a href="https://pixelfed.social/discover/tags/SanFrancisco?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#SanFrancisco</a>
A Fool And His Fuji<p>Locking Nothing</p><p>Don't think this will ever open again</p><p>Lens: Viltrox 13mm f/1.4 XF Wide Angle on the Fuji X-T30</p><p><a href="https://c.im/tags/cumbria" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cumbria</span></a> <a href="https://c.im/tags/fujifilm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fujifilm</span></a> <a href="https://c.im/tags/photography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>photography</span></a> <a href="https://c.im/tags/photographer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>photographer</span></a> <a href="https://c.im/tags/maryport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>maryport</span></a> <a href="https://c.im/tags/landscapephotography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>landscapephotography</span></a> <a href="https://c.im/tags/lakedistrict" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lakedistrict</span></a> <a href="https://c.im/tags/coast" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>coast</span></a> <a href="https://c.im/tags/seashore" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>seashore</span></a> <a href="https://c.im/tags/promenade" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>promenade</span></a> <a href="https://c.im/tags/viltrox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>viltrox</span></a> <a href="https://c.im/tags/naturephotography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>naturephotography</span></a> <a href="https://c.im/tags/nature" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>nature</span></a> <a href="https://c.im/tags/monochrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>monochrome</span></a> <a href="https://c.im/tags/blackandwhitephotography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>blackandwhitephotography</span></a> <a href="https://c.im/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a></p>
CTD<p>60mm</p><p><a href="https://mastodon.social/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a></p>
foncuNo sé si lo sabéis, pero hoy es <a href="https://pixelfed.social/discover/tags/martesDeBarbas?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#martesDeBarbas</a> en <a href="https://pixelfed.social/discover/tags/Mastodon?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Mastodon</a>. Y como <a href="https://pixelfed.social/discover/tags/Pixelfed?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Pixelfed</a> federa con el resto del <a href="https://pixelfed.social/discover/tags/fediverso?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#fediverso</a>, hoy tenéis dos fotos para ver. <br>
<br>
<a href="https://pixelfed.social/discover/tags/gaybeard?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#gaybeard</a> <a href="https://pixelfed.social/discover/tags/padlock?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#padlock</a> <a href="https://pixelfed.social/discover/tags/collar?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#collar</a> <a href="https://pixelfed.social/discover/tags/attitude?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#attitude</a> <a href="https://pixelfed.social/discover/tags/whysoserious?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#whysoserious</a> <a href="https://pixelfed.social/discover/tags/iykyk?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#iykyk</a>
Adam Trickett :debian: :kde:<p>Mono cylinders</p><p><a href="https://www.blipfoto.com/entry/3328833076288556418" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">blipfoto.com/entry/33288330762</span><span class="invisible">88556418</span></a></p><p><a href="https://fosstodon.org/tags/blip" class="mention hashtag" rel="tag">#<span>blip</span></a> <a href="https://fosstodon.org/tags/blipfoto" class="mention hashtag" rel="tag">#<span>blipfoto</span></a> <a href="https://fosstodon.org/tags/gimp" class="mention hashtag" rel="tag">#<span>gimp</span></a> <a href="https://fosstodon.org/tags/rawtherapee" class="mention hashtag" rel="tag">#<span>rawtherapee</span></a> <a href="https://fosstodon.org/tags/photography" class="mention hashtag" rel="tag">#<span>photography</span></a> <a href="https://fosstodon.org/tags/ilforddelta100" class="mention hashtag" rel="tag">#<span>ilforddelta100</span></a> <a href="https://fosstodon.org/tags/monochrome" class="mention hashtag" rel="tag">#<span>monochrome</span></a> <a href="https://fosstodon.org/tags/padlock" class="mention hashtag" rel="tag">#<span>padlock</span></a> <a href="https://fosstodon.org/tags/combination" class="mention hashtag" rel="tag">#<span>combination</span></a></p>
TechHelpKB.com 📚<p>The security padlock icon’s meaning has been synonymous with website security for 30+ years. See which browsers still use the padlock symbol in front of the URL and which ones have traded it in.</p><p><a href="https://mastodon.social/tags/browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>browser</span></a> <a href="https://mastodon.social/tags/website" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>website</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/safety" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>safety</span></a> <a href="https://mastodon.social/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a> <br><a href="https://www.thesslstore.com/blog/which-browsers-still-use-the-security-padlock-icon/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">thesslstore.com/blog/which-bro</span><span class="invisible">wsers-still-use-the-security-padlock-icon/</span></a></p>
Dave J<p>Back from the dead: Scientists rebuild the <a href="https://dice.camp/tags/face" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>face</span></a> of 400-year-old <a href="https://dice.camp/tags/Polish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Polish</span></a> '<a href="https://dice.camp/tags/vampire" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vampire</span></a>'. A team of scientists has reconstructed <a href="https://dice.camp/tags/Zosia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Zosia</span></a>’s face, revealing the human story buried by supernatural beliefs in an unmarked <a href="https://dice.camp/tags/cemetery" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cemetery</span></a> in <a href="https://dice.camp/tags/Pien" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Pien</span></a>, northern <a href="https://dice.camp/tags/Poland" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Poland</span></a>. <a href="https://www.nbcnews.com/news/world/scientists-rebuild-face-400-year-old-polish-vampire-zosia-rcna178176" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nbcnews.com/news/world/scienti</span><span class="invisible">sts-rebuild-face-400-year-old-polish-vampire-zosia-rcna178176</span></a> <a href="https://dice.camp/tags/science" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>science</span></a> <a href="https://dice.camp/tags/archaeology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>archaeology</span></a> <a href="https://dice.camp/tags/archeology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>archeology</span></a> <a href="https://dice.camp/tags/reconstruction" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>reconstruction</span></a> <a href="https://dice.camp/tags/anthropology" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>anthropology</span></a> <a href="https://dice.camp/tags/burial" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>burial</span></a> <a href="https://dice.camp/tags/superstition" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>superstition</span></a> <a href="https://dice.camp/tags/sickle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sickle</span></a> <a href="https://dice.camp/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a></p>
zimpenfishNew <a class="hashtag" href="https://social.rjp.is/tag/padlock" rel="nofollow noopener noreferrer" target="_blank">#padlock</a><br><br>/via <a href="https://instagr.am/p/DBs8GSdojSt/" rel="nofollow noopener noreferrer" target="_blank">https://instagr.am/p/DBs8GSdojSt/</a><br><br><a class="hashtag" href="https://social.rjp.is/tag/ifttt" rel="nofollow noopener noreferrer" target="_blank">#ifttt</a> <a class="hashtag" href="https://social.rjp.is/tag/automated" rel="nofollow noopener noreferrer" target="_blank">#automated</a>
Husdur<p>My first-ish try into pixelart for kinktober/inktober chalenge.<br>So far I like it OwO<br><a href="https://thicc.horse/tags/anthro" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>anthro</span></a> <a href="https://thicc.horse/tags/pony" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pony</span></a> <a href="https://thicc.horse/tags/unicorn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>unicorn</span></a> <a href="https://thicc.horse/tags/pixelart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pixelart</span></a> <a href="https://thicc.horse/tags/monochrome" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>monochrome</span></a> <a href="https://thicc.horse/tags/kinktober" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>kinktober</span></a> <a href="https://thicc.horse/tags/chastitycage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>chastitycage</span></a> <a href="https://thicc.horse/tags/backpack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>backpack</span></a> <a href="https://thicc.horse/tags/sextoy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sextoy</span></a> <a href="https://thicc.horse/tags/buttplug" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>buttplug</span></a> <a href="https://thicc.horse/tags/leashedcollar" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>leashedcollar</span></a> <a href="https://thicc.horse/tags/leash" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>leash</span></a> <a href="https://thicc.horse/tags/tiedleash" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>tiedleash</span></a> <a href="https://thicc.horse/tags/selfbondage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>selfbondage</span></a> <a href="https://thicc.horse/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a> <a href="https://thicc.horse/tags/lookingatviewer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookingatviewer</span></a> <a href="https://thicc.horse/tags/lookingback" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>lookingback</span></a> <a href="https://thicc.horse/tags/male" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>male</span></a> <a href="https://thicc.horse/tags/girly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>girly</span></a></p>
Erik van Straten<p>Meanwhile people at Mozilla started working to fix this vulnerability; that's good.</p><p>What I dislike is that the vulnerability was ignored until I started making public noise.</p><p>And that, instead of saying "sorry we kept internet users at risk, we were busy fixing other things we thought were more inportant", in a long reaction the vulnerabilty is downplayed because *they* see no way how this could be abused (Jen Easterly is right: <a href="https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theregister.com/2024/09/20/cis</span><span class="invisible">a_sloppy_vendors_cybercrime_villains/</span></a>).</p><p>How about that I no longer trust Firefox's padlock?</p><p>I'll wait a bit with publishing a full, detailed, PoC.</p><p><span class="h-card" translate="no"><a href="https://mozilla.social/@mozilla" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>mozilla</span></a></span> </p><p><a href="https://infosec.exchange/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a> <a href="https://infosec.exchange/tags/FirefoxIOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FirefoxIOS</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>trust</span></a></p>
Erik van Straten<p>After Gavin (<span class="h-card" translate="no"><a href="https://fosstodon.org/@_calmdowndear" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>_calmdowndear</span></a></span> ) asked about password managers checking and warning for http connections, I did some tests; see <a href="https://infosec.exchange/@ErikvanStraten/113183533717083748" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113183533717083748</span></a>.</p><p>In addition to those and my original test, in the email to myself I replaced "example.com" by both:</p><p>http:⧸⧸192.168.178.1 (*)<br>and <br>https:⧸⧸192.168.178.1 (*)</p><p>(*) I'm using the Unicode '⧸' here instead of ASCII '/' to prevent Mastodon from hiding the protocol prefix (and turning it into a clickable link).</p><p>If I follow the instructions in the email (fully close Firefox) and tap http:⧸⧸192.168.178.1 , then I (erroneously) get to see the padlock without strike through.</p><p>I can then use the iOS autofill function to fill in the password without being warned that an http connection is being used. Even after autofilling the password, Firefox has not changed the padlock as can be seen in the left screenshot below.</p><p>OTOH, if I follow the instructions in the mail but tap https:⧸⧸192.168.178.1 instead (and then tap "Advanced"), I *do* get warned because a self signed certificate is being used (see the screenshot at the right).</p><p><span class="h-card" translate="no"><a href="https://chaos.social/@brahms" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>brahms</span></a></span> <br><span class="h-card" translate="no"><a href="https://mozilla.social/@mozilla" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>mozilla</span></a></span> </p><p><a href="https://infosec.exchange/tags/FirefoxIOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FirefoxIOS</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/Mozilla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mozilla</span></a> <a href="https://infosec.exchange/tags/Bugzilla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bugzilla</span></a> <a href="https://infosec.exchange/tags/FullDisclosure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FullDisclosure</span></a> <a href="https://infosec.exchange/tags/Padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Padlock</span></a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpvshttps</span></a> <a href="https://infosec.exchange/tags/RFC1918" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RFC1918</span></a> <a href="https://infosec.exchange/tags/AVM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AVM</span></a> <a href="https://infosec.exchange/tags/FritzBox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FritzBox</span></a> <a href="https://infosec.exchange/tags/HomeRouter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HomeRouter</span></a> <a href="https://infosec.exchange/tags/IOT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOT</span></a></p>
Erik van Straten<p>Firefox iOS vulnerability</p><p>Nearly three months ago I reported a vulnerability in Firefox for iOS to Mozilla (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1904885" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bugzilla.mozilla.org/show_bug.</span><span class="invisible">cgi?id=1904885</span></a>) - it remains unfixed while my "bumps" do not seem to wake anyone up (yes that's frustrating - and I encounter that everywhere).</p><p>🔹 VULNERABILITY<br>The vulnerability appears to be that if Firefox is opened with an http link "on the command line", while the last page open was using https, it gets confused and erroneously shows a https padlock for an http website.</p><p>🔹CONDITIONS TO REPRODUCE<br>It's easy to reproduce, provided that:</p><p>• Firefox is configured as your default browser (on iOS or iPadOS)</p><p>• You use an app to read emails that is not webbased (Apple's mail app works fine).</p><p>🔹 REPRODUCE VIA MAIL<br>One way to te reproduce is to send yourself a ("phishing") email with the following instructions:</p><p>«<br>1) Tap bleepingcomputer.com to open it;</p><p>2) For security reasons (XSS attacks etc.), now close Firefox (make sure to swipe its window off screen);</p><p>3) Tap example.com to open it.<br>»</p><p>(Instead of example.com you can use any website that does not automatically forward your browser to an https connection to the website, such as <a href="http://http.badssl.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">http.badssl.com</span><span class="invisible"></span></a>).</p><p>🔹 SYMPTOMS<br>Firefox for iOS now reopens, shows "example.com/" in the address bar *and* a padlock icon indicating an https connection.</p><p>However, it is NOT using an https connection, but http. The padlock is not trustworthy.</p><p>🔹 PICS OR IT AINT SO<br>See the screenshots below: the second one is after tapping the padlock icon (or tap in the address bar to see the -selected- URL start with http://).</p><p>🔹 FULL POC<br>Since it's not yet 90 days ago (but rather 88) I'll wait a bit with publishing a full phishing PoC.</p><p><span class="h-card" translate="no"><a href="https://mozilla.social/@mozilla" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>mozilla</span></a></span> </p><p><a href="https://infosec.exchange/tags/FirefoxIOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FirefoxIOS</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/Mozilla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Mozilla</span></a> <a href="https://infosec.exchange/tags/Bugzilla" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Bugzilla</span></a> <a href="https://infosec.exchange/tags/FullDisclosure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FullDisclosure</span></a> <a href="https://infosec.exchange/tags/Padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Padlock</span></a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpvshttps</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/PhishingRisk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PhishingRisk</span></a></p>
SusiBreak your chains. <br>
<br>
<br>
<a href="https://pixelfed.de/discover/tags/rust?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#rust</a> <a href="https://pixelfed.de/discover/tags/rusty?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#rusty</a> <a href="https://pixelfed.de/discover/tags/chains?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#chains</a> <a href="https://pixelfed.de/discover/tags/padlock?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#padlock</a> <a href="https://pixelfed.de/discover/tags/withered?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#withered</a> <a href="https://pixelfed.de/discover/tags/decay?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#decay</a> <a href="https://pixelfed.de/discover/tags/thebeautyofdecay?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#thebeautyofdecay</a>
Erik van Straten<p>Why https instead of http?</p><p>Two reasons, most important first:</p><p>(1) The server is authenticated;</p><p>(2) The connection between the browser and the server is encrypted and checked for changes to the data exchanged.</p><p>Why is (1) most important? Because, with https, you can be reasonably sure that your browser has an impenetrable and unreadable (exchanged bytes are readable, but they make no sense because the data is encrypted) E2EE {1} connection with a server of which the DN (domain name {2}) is shown in the address bar of your browser {3}.</p><p>And *that* is most important, because if you don't want to exchange data with cybercriminals, the *first* thing to do is to make sure that the server your browser is connected to, is not *owned* by cybercriminals or anyone who wants to misinform you. Therefore, server-authentication comes first.</p><p>Why is (2) important? Once you're sure that (1) is okay, you don't want anyone to be able to sniff (read unencrypted data) from the connection, remove part of or change the exchanged data (on the fly), or redirect/hijack the connection to another server; https prevents all of this. Note that this protection is limited to the connection between the two E2EE endpoints only!</p><p>{1} E2EE: End to End Encrypted - in such a way that AitM {4} attacks are virtually impossible.</p><p>{2} DN = Domain name, simplified: a human readable, worldwide unique, alias of the IP-address of a server. Examples: "infosec.exchange", "www.google.com". Although *valid* DN's may consist only of a combination of:<br>• characters 'a' .. 'z' (lowercase only)<br>• character '-' (minus)<br>• subdomain separator char '.' (dot)<br>a lot of confusion is caused by, among other things, IDN's (International Domain Names) and apparent DN's that include a user-ID (and optionally a password), such as in "user:pw@DN" or "user@DN" which can be misleading, like in "https:⁄⁄microsoft.com@phishme.co".<br>See <a href="https://en.wikipedia.org/wiki/Domain_name" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">en.wikipedia.org/wiki/Domain_n</span><span class="invisible">ame</span></a> for more info.</p><p>{3} Most important preconditions: you did not see any certificate warnings or errors, no Certificate Services Provider (trusted by your browser) has submitted an illegal certificate to the server, the server's private key is not compromised, you've not installed an untrustworthy root certificate on your device and none of your device's OS, browser and plug-ins are compromised.</p><p>{4} AitM or MitM: Attacker/Man in the Middle. Unless a server's private key is compromised, it is virtually impossible for an external attacker to intercept, redirect, or break open a server-authenticated https (E2EE {1}) connection.</p><p>————————<br>| WARNINGS |<br>————————</p><p>*YOUR* problems UNSOLVED by https:</p><p>(a) You'll have to make sure that YOUR endpoint of the https connection is trustworthy (e.g. you've not accidentally installed AitM {4} malware or software such as AnyDesk), and you don't let an untrustworthy person use your device. Also see the end of {3}.</p><p>(b) Even if some Certificate Authorities advertise "secure site" nonsense, https has exacly *NOTHING* to do with the trustwortyness of websites, their owners or anyone who has (or illegally obtains) access to a (https) server endpoint - or whatever lays behind that.</p><p>(c) You'll have to somehow figure out who *right now* owns the DN shown in the address bar of your browser. That may be impossible if a DN ends in, for example, "pages.dev", ".dns-dynamic.net" or "my.id" (.id is for Indonesia).</p><p>(d) Next, somehow you'll have to figure out how *trustworthy* that owner is (BTW, in offline life this is exactly the same). Usually that is an assumption based on reputation. How reliable is that person or organization? How well do they protect their server(s)? Will they sell and/or share your data to other parties? Do they help you if you lose access to your account? How trustworthy are any hosters or CDN's that ar being used, such as Amazon, Cloudflare and Fastly {5}?</p><p>{5} W.r.t. Fastly, for example, check the 100 DN's below "X509v3 Subject Alternative Name:" in <a href="https://crt.sh/?id=13044029379" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">crt.sh/?id=13044029379</span><span class="invisible"></span></a>)? Note that Fastly reuses a few public keys in *many* certificates like that one. The server endpoint of your https connection may be one of *many* Fastly servers, *NOT* the the actual server that you've been made to believe that your browser is connected to. You have no idea how secure anything is between Fastly's proxy server(s) and the *actual* server.</p><p><a href="https://infosec.exchange/tags/Padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Padlock</span></a> <a href="https://infosec.exchange/tags/http" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>http</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpvshttps</span></a> <a href="https://infosec.exchange/tags/httpsvshttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsvshttp</span></a> <a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> <a href="https://infosec.exchange/tags/ServerAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ServerAuthentication</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Trust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trust</span></a> <a href="https://infosec.exchange/tags/Trustworthy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trustworthy</span></a> <a href="https://infosec.exchange/tags/Trustworthyness" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Trustworthyness</span></a> <a href="https://infosec.exchange/tags/CDN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CDN</span></a> <a href="https://infosec.exchange/tags/Amazon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Amazon</span></a> <a href="https://infosec.exchange/tags/Cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloud</span></a> <a href="https://infosec.exchange/tags/Cloudservices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloudservices</span></a> <a href="https://infosec.exchange/tags/Hosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hosting</span></a> <a href="https://infosec.exchange/tags/Hosters" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Hosters</span></a> <a href="https://infosec.exchange/tags/CloudFlare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CloudFlare</span></a> <a href="https://infosec.exchange/tags/Fastly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fastly</span></a></p>
Erik van Straten<p>Firefox iOS: https padlock unreliable</p><p>Please confirm if you can reproduce this!</p><p>Full report: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1904885" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bugzilla.mozilla.org/show_bug.</span><span class="invisible">cgi?id=1904885</span></a></p><p>To reproduce: in Firefox (iOS/iPadOS), have at least one tab open showing a site with an https connection (such as <a href="https://infosec.exchange" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">infosec.exchange</span><span class="invisible"></span></a>); then close Firefox.</p><p>Next, *share* an http link to Firefox (causing it to start and open the link).</p><p>For example, with Firefox still closed, open <a href="http://http.badssl.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">http.badssl.com</span><span class="invisible"></span></a> in Safari, and share the link to Firefox (see the screenshot below). Tap the padlock (or tap in the address bar) to see that the padlock should have been striked through.</p><p>Alternatively (+): configure Firefox to be the default browser. Send yourself an email with one or more http links (to sites that do not automatically redirect the browser to https), such as <a href="http://www.example.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://www.</span><span class="">example.com</span><span class="invisible"></span></a>.</p><p>Don't forget to restore the vulnerable situation: in Firefox, open only <a href="https://mozilla.org" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">mozilla.org</span><span class="invisible"></span></a>; then close Firefox.</p><p>Now open the email and tap one of the http links. Firefox starts, opens the http link and shows the padlock without strike trough, as if it were an https link.</p><p>(+) Most risky scenario. Why? See my first reply to this toot.</p><p>Tested vulnerable:<br>• iOS (v17.5.1): Firefox v126, v127.0, v127.1<br>• iPadOS (16.7.8): Firefox v127.0</p><p><a href="https://infosec.exchange/tags/Firefox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Firefox</span></a> <a href="https://infosec.exchange/tags/FirefoxiOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FirefoxiOS</span></a> <a href="https://infosec.exchange/tags/Padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Padlock</span></a> <a href="https://infosec.exchange/tags/http" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>http</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/httpvshttps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpvshttps</span></a> <a href="https://infosec.exchange/tags/httpsvshttp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsvshttp</span></a> <a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLS</span></a> <a href="https://infosec.exchange/tags/ServerAuthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ServerAuthentication</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/MozillaFirefoxiOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MozillaFirefoxiOS</span></a></p>
CTD<p>Lock of the morning. </p><p><a href="https://mastodon.social/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a></p>
zimpenfishFederal 601HE <a class="hashtag" href="https://social.rjp.is/tag/padlock" rel="nofollow noopener noreferrer" target="_blank">#padlock</a><br><br> /via <a href="https://instagr.am/p/C8U-SjJIM2q/" rel="nofollow noopener noreferrer" target="_blank">https://instagr.am/p/C8U-SjJIM2q/</a> <a class="hashtag" href="https://social.rjp.is/tag/ifttt" rel="nofollow noopener noreferrer" target="_blank">#ifttt</a> <a class="hashtag" href="https://social.rjp.is/tag/automated" rel="nofollow noopener noreferrer" target="_blank">#automated</a>
CTD<p>No. 14</p><p><a href="https://mastodon.social/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a><br><a href="https://mastodon.social/tags/padlocks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlocks</span></a></p>
CTD<p>Made in England. FB</p><p><a href="https://mastodon.social/tags/padlock" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>padlock</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload