Erik van Straten<p><span class="h-card" translate="no"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jwildeboer</span></a></span> : modern certificates are used for authentication only, not for secure connections.</p><p>OTOH, if you have no certainty that your software is communicating with the server you intended, a secure connection to it is pointless - but the connection remains secure.</p><p>Using TLS v1.3, the connection is even secured before the server is authenticated (if, after encrypting the connection, the authentication of the server fails, then the client should at least warn the user - if not immediately disconnect).</p><p>Yes, I know, these are boring details, but they are misunderstood way too often by people who SHOULD know how this works (I know you do, but please don't simplify things too much).<br> </p><p><a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/X509" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>X509</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certs</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/TLSv1_3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLSv1_3</span></a> <a href="https://infosec.exchange/tags/ForwardSecrecy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ForwardSecrecy</span></a> <a href="https://infosec.exchange/tags/DH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DH</span></a> <a href="https://infosec.exchange/tags/DHE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DHE</span></a> <a href="https://infosec.exchange/tags/DiffieHellman" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DiffieHellman</span></a></p>
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
271active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.2
#authentication
2 posts · 2 participants · 0 posts today
IT News<p>OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test - Maybe they should change the button to say, "I am a robot"?<br>... - <a href="https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agent-casually-clicks-through-i-am-not-a-robot-verification-test/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/information-te</span><span class="invisible">chnology/2025/07/openais-chatgpt-agent-casually-clicks-through-i-am-not-a-robot-verification-test/</span></a> <a href="https://schleuss.online/tags/computer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computer</span></a>-usingagent <a href="https://schleuss.online/tags/aidevelopmenttools" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aidevelopmenttools</span></a> <a href="https://schleuss.online/tags/computerusemodel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>computerusemodel</span></a> <a href="https://schleuss.online/tags/machinelearning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>machinelearning</span></a> <a href="https://schleuss.online/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://schleuss.online/tags/websecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>websecurity</span></a> <a href="https://schleuss.online/tags/aibehavior" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aibehavior</span></a> <a href="https://schleuss.online/tags/aisecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aisecurity</span></a> <a href="https://schleuss.online/tags/cloudflare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloudflare</span></a> <a href="https://schleuss.online/tags/agenticai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>agenticai</span></a> <a href="https://schleuss.online/tags/aiagents" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aiagents</span></a> <a href="https://schleuss.online/tags/captcha" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>captcha</span></a> <a href="https://schleuss.online/tags/chatgpt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>chatgpt</span></a> <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>biz</span></a> <a href="https://schleuss.online/tags/openai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openai</span></a> <a href="https://schleuss.online/tags/ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ai</span></a></p>
🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸<p>> <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> informed me that I already had a <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> on my device. If that's the case, why didn't it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had <a href="https://mastodon.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> on my Pixel 9 Pro and request <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> with either a fingerprint or face scan. It didn't. No passkey was recognized… even though it's there.</p><p>> It's a recursive nightmare from which I can't seem to escape.</p><p><a href="https://www.zdnet.com/article/passkeys-wont-be-ready-for-primetime-until-google-and-other-companies-fix-this/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">zdnet.com/article/passkeys-won</span><span class="invisible">t-be-ready-for-primetime-until-google-and-other-companies-fix-this/</span></a></p><p><a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
Grumpy Website<p>This dialog always confuses me. I have to read small print to really understand what does it want</p><p><a href="https://mastodon.online/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apple</span></a> <a href="https://mastodon.online/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> <a href="https://mastodon.online/tags/Dialog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Dialog</span></a> <a href="https://mastodon.online/tags/VisualHierarchy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VisualHierarchy</span></a> <a href="https://mastodon.online/tags/Fingerprint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fingerprint</span></a> <a href="https://mastodon.online/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a></p>
Mad A. Argon :qurio:<p>Thought it is high time to finally set <a href="https://is-a.cat/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> on my <a href="https://is-a.cat/tags/DeviantArt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DeviantArt</span></a> account... Turned out it's premium feature for paid accounts :neocatBlushHide:</p><p><a href="https://is-a.cat/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://is-a.cat/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a></p>
Teodor Sandu<p><a href="https://mastodon.online/tags/funny" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>funny</span></a> <a href="https://mastodon.online/tags/meme" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>meme</span></a> <a href="https://mastodon.online/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.online/tags/it" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>it</span></a> <a href="https://mastodon.online/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>programming</span></a> <a href="https://mastodon.online/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>development</span></a> <a href="https://mastodon.online/tags/fun" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fun</span></a> <a href="https://mastodon.online/tags/memes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>memes</span></a> <a href="https://mastodon.online/tags/joke" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>joke</span></a> <a href="https://mastodon.online/tags/jokes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jokes</span></a> <a href="https://mastodon.online/tags/dev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dev</span></a> <a href="https://mastodon.online/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://mastodon.online/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aral</span></a></span> wrote: "If your friends and family are trying to phish you, you have bigger problems."</p><p>Phishing means that an adversary *claiming to be* someone you know (including friends and family) convinces you to click on a link.</p><p>The purpose of a certificate, telling a receiver *WHO* (human readable) owns the associated private key (the last resort to distinguish between fake and authentic), now has completely vanished.</p><p>As if phishing is not already the nr. 1 problem on the internet.</p><p>Note: I'm fine with the idea provided that browsers clearly inform users about the reliability of authenticity (I've read your article, did you read <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a> ?)</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> </p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a></p>
Shubham Tiwari<p>🚀 Mastering API Handling in React & Vanilla JS – One Step at a Time!</p><p>This week, I deep-dived into handling APIs in React and Vanilla JavaScript – not just fetching data, but doing it efficiently and securely which includes: Fetch, CRUD, Query Params, Auth, and AbortController Explained</p><p><a href="https://mastodon.social/tags/ReactJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReactJS</span></a> <a href="https://mastodon.social/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.social/tags/WebDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDevelopment</span></a> <a href="https://mastodon.social/tags/Frontend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Frontend</span></a> <a href="https://mastodon.social/tags/APIs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIs</span></a> <a href="https://mastodon.social/tags/AbortController" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AbortController</span></a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authorization</span></a> <a href="https://mastodon.social/tags/AsyncAwait" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AsyncAwait</span></a> <a href="https://mastodon.social/tags/LinkedInLearning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LinkedInLearning</span></a> <a href="https://mastodon.social/tags/100DaysOfCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>100DaysOfCode</span></a></p><p><a href="https://dev.to/shubhamtiwari909/handling-apis-in-frontend-a-complete-guide-fmo" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dev.to/shubhamtiwari909/handli</span><span class="invisible">ng-apis-in-frontend-a-complete-guide-fmo</span></a></p>
Eduardo Padoan<p>"The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it's not that he didn't know what he was doing, it's that he knew what he was doing but flubbed it."<br><a href="https://mastodon.coffee/tags/GenAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GenAI</span></a> <a href="https://mastodon.coffee/tags/LLM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LLM</span></a> <a href="https://mastodon.coffee/tags/Cloudfare" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cloudfare</span></a> <a href="https://mastodon.coffee/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://mastodon.coffee/tags/CodeAssistants" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CodeAssistants</span></a> <a href="https://mastodon.coffee/tags/Copilot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Copilot</span></a> <a href="https://mastodon.coffee/tags/Agentic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Agentic</span></a> <a href="https://mastodon.coffee/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a> <a href="https://mastodon.coffee/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.coffee/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> </p><p><a href="https://nvd.nist.gov/vuln/detail/cve-2025-4143" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nvd.nist.gov/vuln/detail/cve-2</span><span class="invisible">025-4143</span></a></p>
🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸<p><a href="https://mastodon.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> are for people who only use one device to access the Internet, or multiple devices that are all made by AAPL/GOOG.</p><p>If you use Firefox on Ubuntu, Edge on Windows, Safari on Mac OS, and Chrome on ChromeOS you will have a bad time.</p><p><a href="https://mastodon.social/tags/webauthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webauthn</span></a> <a href="https://mastodon.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a> <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkey</span></a> <a href="https://mastodon.social/tags/auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>auth</span></a> <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a></p>
🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸<p>Explain <a href="https://mastodon.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> to me like I'm your grandparents.</p><p><a href="https://mastodon.social/tags/2fa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2fa</span></a> <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/fido" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido</span></a> <a href="https://mastodon.social/tags/webauthn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webauthn</span></a> <a href="https://mastodon.social/tags/fido2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fido2</span></a> <a href="https://mastodon.social/tags/otp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>otp</span></a> <a href="https://mastodon.social/tags/yubikey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>yubikey</span></a> <a href="https://mastodon.social/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://mastodon.social/tags/auth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>auth</span></a></p>
Ethan Sholly<p>Self-Host Weekly (6 June 2025)</p><p>Open-sourced government apps, software updates and launches, a spotlight on <a href="https://fosstodon.org/tags/Tinyauth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tinyauth</span></a> -- a simple <a href="https://fosstodon.org/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> middleware, and more in this week's self-hosted recap!</p><p><a href="https://selfh.st/weekly/2025-06-06/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">selfh.st/weekly/2025-06-06/</span><span class="invisible"></span></a></p><p><a href="https://fosstodon.org/tags/selfhost" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhost</span></a> <a href="https://fosstodon.org/tags/selfhosted" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhosted</span></a> <a href="https://fosstodon.org/tags/selfhosting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhosting</span></a> <a href="https://fosstodon.org/tags/newsletter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>newsletter</span></a> <a href="https://fosstodon.org/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a> <a href="https://fosstodon.org/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foss</span></a> <a href="https://fosstodon.org/tags/homelab" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>homelab</span></a> <a href="https://fosstodon.org/tags/homeserver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>homeserver</span></a> <a href="https://fosstodon.org/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://fosstodon.org/tags/nextcloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nextcloud</span></a> <a href="https://fosstodon.org/tags/raspberrypi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>raspberrypi</span></a> <a href="https://fosstodon.org/tags/irs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>irs</span></a> <a href="https://fosstodon.org/tags/dumbassets" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dumbassets</span></a></p>
Lars Wirzenius<p>If your software stores passwords in a way that they can be retrieved, and your software isn't a password manager, your software is broken.</p><p>Verifying that a password provided by a user is correct does not require you to store the password. As an industry we knew this in 1978. It has been 0 days since I saw software that violates this.</p><p><a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">cheatsheetseries.owasp.org/che</span><span class="invisible">atsheets/Password_Storage_Cheat_Sheet.html</span></a></p><p><a href="https://toot.liw.fi/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://toot.liw.fi/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> <a href="https://toot.liw.fi/tags/passwordStorage" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordStorage</span></a> <a href="https://toot.liw.fi/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://toot.liw.fi/tags/rant" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rant</span></a></p>
Frontend Dogma<p>Passkeys for Normal People, by <span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>troyhunt</span></a></span>:</p><p><a href="https://www.troyhunt.com/passkeys-for-normal-people/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">troyhunt.com/passkeys-for-norm</span><span class="invisible">al-people/</span></a></p><p><a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mas.to/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mas.to/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> <a href="https://mas.to/tags/examples" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>examples</span></a> <a href="https://mas.to/tags/concepts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>concepts</span></a></p>
Erik van Straten<p>🚨 Identity fraud on Mastodon</p><p>Just a reminder that there is a lot of identity fraud happening on the internet, increasingly on Mastodon as well.</p><p>Often impersonators are easy to detect (like the ones below) - but sometimes existing accounts are taken over by criminals. Always keep in mind that someone on the internet interacting with you may (currently) not be who they claim to be.</p><p>This includes my account. If it does not sound like me, it may not be me. Having doubts and double checking are good habits. Reputation (good or bad) is a useful property for knowing who you're dealing with, and to help detect anomalies.</p><p>Accounts with a few or 0 followers, and hardly any or just plain pointless toots, may be bots or criminals coming after your money.</p><p>If someone appears to only follow random Mastodonts with lots of followers, either they're noobs or they're here with less friendly intentions. If they then start following possibly lonely people, they *may* be trying to gain their attention and trust - maybe for nefarious purposes.</p><p>🤔 Recently the following people started following the automated channel <a href="https://mastodon.world/@auschwitzmuseum/followers" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.world/@auschwitzmuseu</span><span class="invisible">m/followers</span></a>:</p><p>Kendal Jenner [1]<br>Jennifer Aniston [2]<br>Stephen King [3]<br>Keanu Reeves [4]<br>Keanu Reeves [5]</p><p>They all abuse the pictures of the real persons they impersonate (they're not just following the Auschwitz Memorial BTW).</p><p>[1] <a href="https://mastodon.social/@kendall01/following" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@kendall01/fol</span><span class="invisible">lowing</span></a><br>[2] <a href="https://mastodon.social/@Jenniferaniston123/following" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@Jenniferanist</span><span class="invisible">on123/following</span></a><br>[3] <a href="https://mastodon.social/@Stevenkvng/following" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@Stevenkvng/fo</span><span class="invisible">llowing</span></a><br>[4] <a href="https://mastodon.social/@keanureeves1928/following" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@keanureeves19</span><span class="invisible">28/following</span></a><br>[5] <a href="https://mastodon.social/@reeves001/following" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">mastodon.social/@reeves001/fol</span><span class="invisible">lowing</span></a> (screenshot below)</p><p><a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityFraud</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityVerification</span></a> <a href="https://infosec.exchange/tags/Auschwitz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Auschwitz</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.ar.al/@aral" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aral</span></a></span> : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.</p><p>They're the ultimate manifestation of evil big tech.</p><p>They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.</p><p>DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).</p><p>Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).</p><p>However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.</p><p>Decent online authentication is HARD. Get used to it instead of denying it.</p><p>REASONS/EXAMPLES</p><p>🔹 Troy Hunt fell in the DV trap: <a href="https://infosec.exchange/@ErikvanStraten/114222237036021070" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114222237036021070</span></a></p><p>🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: <a href="https://infosec.exchange/@ErikvanStraten/114224682101772569" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224682101772569</span></a></p><p>🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: <a href="https://infosec.exchange/@ErikvanStraten/114224264440704546" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/114224264440704546</span></a></p><p>🔹 Stop phishing proposal: <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113079966331873386</span></a></p><p>🔹 Lots of reasons why LE sucks:<br><a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> (corrected link 09:20 UTC)</p><p>🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): <a href="https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">newly-registered-domains.abtdo</span><span class="invisible">main.com/2024-08-15-bond-newly-registered-domains-part-1/</span></a>. However, this gang is still active, open the RELATIONS tab in <a href="https://www.virustotal.com/gui/ip-address/13.248.197.209/relations" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">virustotal.com/gui/ip-address/</span><span class="invisible">13.248.197.209/relations</span></a>. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: <a href="https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/</span></a></p><p><span class="h-card" translate="no"><a href="https://ec.social-network.europa.eu/@EUCommission" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>EUCommission</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> <span class="h-card" translate="no"><a href="https://social.nlnet.nl/@nlnet" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nlnet</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/bond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bond</span></a> <a href="https://infosec.exchange/tags/dotBond" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dotBond</span></a> <a href="https://infosec.exchange/tags/Spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spam</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ransomware</span></a> <a href="https://infosec.exchange/tags/Banks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Banks</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a></p>
Grumpy Website<p>We noticed you were working. How about you do a meaningless chore for us instead?</p><p><a href="https://mastodon.online/tags/Slack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Slack</span></a> <a href="https://mastodon.online/tags/Login" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Login</span></a> <a href="https://mastodon.online/tags/Logout" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Logout</span></a> <a href="https://mastodon.online/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.online/tags/Popup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Popup</span></a> <a href="https://mastodon.online/tags/Timeout" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Timeout</span></a></p>
julian<p>2FA codes sent over ActivityPub when?</p>
Georgiana Brummell<p>First, they shut down the Basic HTML site, forcing many of us to switch to clients such as Thunderbird. Now, they're using qr codes which are not only inaccessible to the blind but also to those who don't use smartphones! This is ridiculous! Yes, they do still have the option to click whether it's you trying to sign in or not (which still requires a smartphone and a carrier, which they claim to be concerned about), but how long before they remove that, too?</p><p><a href="https://www.pcmag.com/news/google-is-replacing-sms-codes-with-qr-codes-for-gmail-authentication" rel="nofollow noopener" target="_blank">pcmag.com/news/google-is-repla…</a></p><p><a href="https://friendica.world/search?tag=accessibility" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>accessibility</span></a> <a href="https://friendica.world/search?tag=Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Android</span></a> <a href="https://friendica.world/search?tag=authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://friendica.world/search?tag=blind" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blind</span></a> <a href="https://friendica.world/search?tag=Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> <a href="https://friendica.world/search?tag=GMail" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GMail</span></a> <a href="https://friendica.world/search?tag=IOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOS</span></a> <a href="https://friendica.world/search?tag=Narrator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Narrator</span></a> <a href="https://friendica.world/search?tag=NVDA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NVDA</span></a> <a href="https://friendica.world/search?tag=sms" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sms</span></a> <a href="https://friendica.world/search?tag=Talkback" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Talkback</span></a> <a href="https://friendica.world/search?tag=technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a> <a href="https://friendica.world/search?tag=Voiceover" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Voiceover</span></a> <a href="https://friendica.world/search?tag=Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a></p>
Aral Balkan<p>New Kitten release</p><p>• Fixes redirection from sign-in page when person is already authenticated.</p><p><a href="https://kitten.small-web.org" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">kitten.small-web.org</span><span class="invisible"></span></a></p><p>To learn more about how Kitten automatically implements authentication for your Small Web sites and apps using public-key cryptography (so even your own server doesn’t know your secret)¹, please see the Authentication tutorial:</p><p><a href="https://kitten.small-web.org/tutorials/authentication/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/tutorials</span><span class="invisible">/authentication/</span></a></p><p>Enjoy!</p><p>:kitten:💕</p><p>¹ The security (and privacy) of Domain/Kitten are based on a 32-byte cryptographically random secret string that only the person who owns/controls a domain knows.</p><p>This is basically a Base256-encoded ed25519 secret key where the Base256 alphabet is a set of curated emoji surrogate pairs without any special modifiers chosen mainly from the animals, plants, and food groups with some exceptions (to avoid common phobias or triggers, etc.) that we call KittenMoji.</p><p>…</p><p>When setting up a Small Web app via Domain, this key is generated in the person’s browser, on their own computer, and is never communicated to either the Domain instance or the Kitten app being installed. Instead the ed25519 public key is sent to both and signed token authentication is used when the server needs to verify the owner’s identity (e.g., before allowing access to the administration area).</p><p>The expected/encouraged behaviour is for the person to store this secret in their password manager of choice.</p><p>More: <a href="https://kitten.small-web.org/reference/#cryptographic-properties" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">kitten.small-web.org/reference</span><span class="invisible">/#cryptographic-properties</span></a></p><p><a href="https://mastodon.ar.al/tags/Kitten" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Kitten</span></a> <a href="https://mastodon.ar.al/tags/SmallWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmallWeb</span></a> <a href="https://mastodon.ar.al/tags/SmallTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SmallTech</span></a> <a href="https://mastodon.ar.al/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.ar.al/tags/publicKeyCryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>publicKeyCryptography</span></a> <a href="https://mastodon.ar.al/tags/web" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>web</span></a> <a href="https://mastodon.ar.al/tags/dev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dev</span></a> <a href="https://mastodon.ar.al/tags/NodeJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NodeJS</span></a> <a href="https://mastodon.ar.al/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.ar.al/tags/HTML" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HTML</span></a> <a href="https://mastodon.ar.al/tags/CSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSS</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload