ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Miscellaneous Tech News

    Scheduled Pinned Locked Moved News
    7.4k Posts 83 Posters 3.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @stacksofplates
      last edited by

      @stacksofplates said in Miscellaneous Tech News:

      @scottalanmiller said in Miscellaneous Tech News:

      @stacksofplates said in Miscellaneous Tech News:

      If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.

      That's fine, but I'm talking about pages where none of that can apply.

      You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.

      I can, because it doesn't matter what they see. It makes no sense regardless.

      If you think this makes sense, give me an example. What new site could I go to that's totally static that, when going to a fake site, would realistically make me generate a new account?

      1 Reply Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce @stacksofplates
        last edited by

        @stacksofplates said in Miscellaneous Tech News:

        @scottalanmiller said in Miscellaneous Tech News:

        @stacksofplates said in Miscellaneous Tech News:

        If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.

        That's fine, but I'm talking about pages where none of that can apply.

        You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.

        Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.

        What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

        scottalanmillerS stacksofplatesS 3 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @stacksofplates
          last edited by

          @stacksofplates said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @stacksofplates said in Miscellaneous Tech News:

          @scottalanmiller said in Miscellaneous Tech News:

          @obsolesce said in Miscellaneous Tech News:

          If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

          Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

          No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

          It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

          You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

          You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

          stacksofplatesS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Obsolesce
            last edited by

            @obsolesce said in Miscellaneous Tech News:

            @stacksofplates said in Miscellaneous Tech News:

            @scottalanmiller said in Miscellaneous Tech News:

            @stacksofplates said in Miscellaneous Tech News:

            If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.

            That's fine, but I'm talking about pages where none of that can apply.

            You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.

            Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.

            All blogs I know have logins.

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • stacksofplatesS
              stacksofplates @Obsolesce
              last edited by

              @obsolesce said in Miscellaneous Tech News:

              @stacksofplates said in Miscellaneous Tech News:

              @scottalanmiller said in Miscellaneous Tech News:

              @stacksofplates said in Miscellaneous Tech News:

              If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.

              That's fine, but I'm talking about pages where none of that can apply.

              You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.

              Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.

              What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

              I do not even have an account there?

              That's not how oauth works.

              1 Reply Last reply Reply Quote 1
              • ObsolesceO
                Obsolesce @scottalanmiller
                last edited by

                @scottalanmiller said in Miscellaneous Tech News:

                @obsolesce said in Miscellaneous Tech News:

                @stacksofplates said in Miscellaneous Tech News:

                @scottalanmiller said in Miscellaneous Tech News:

                @stacksofplates said in Miscellaneous Tech News:

                If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.

                That's fine, but I'm talking about pages where none of that can apply.

                You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.

                Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.

                All blogs I know have logins.

                Still, that's besides the point. Even so, why woudl i attempt to log in to HIS blog, knowing i do not have an account there?

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Obsolesce
                  last edited by

                  @obsolesce said in Miscellaneous Tech News:

                  What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

                  Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.

                  But I see his point of present a central OAUTH and people might actually do that stupid thing.

                  JaredBuschJ ObsolesceO momurdaM 3 Replies Last reply Reply Quote 0
                  • stacksofplatesS
                    stacksofplates @scottalanmiller
                    last edited by

                    @scottalanmiller said in Miscellaneous Tech News:

                    @stacksofplates said in Miscellaneous Tech News:

                    @scottalanmiller said in Miscellaneous Tech News:

                    @stacksofplates said in Miscellaneous Tech News:

                    @scottalanmiller said in Miscellaneous Tech News:

                    @obsolesce said in Miscellaneous Tech News:

                    If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

                    Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

                    No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

                    It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

                    You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

                    You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

                    No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

                    0_1532629148200_login.png

                    blurred for obvious reasons.

                    ObsolesceO 1 Reply Last reply Reply Quote 1
                    • JaredBuschJ
                      JaredBusch @scottalanmiller
                      last edited by JaredBusch

                      @scottalanmiller said in Miscellaneous Tech News:

                      @obsolesce said in Miscellaneous Tech News:

                      What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

                      Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.

                      But I see his point of present a central OAUTH and people might will actually do that stupid thing.

                      FTFY

                      1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @scottalanmiller
                        last edited by

                        @scottalanmiller said in Miscellaneous Tech News:

                        But I see his point of present a central OAUTH and people might actually do that stupid thing.

                        Yeah, I get the oauth thing, I wasn't referring tot hat.

                        1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @stacksofplates
                          last edited by

                          @stacksofplates said in Miscellaneous Tech News:

                          @scottalanmiller said in Miscellaneous Tech News:

                          @stacksofplates said in Miscellaneous Tech News:

                          @scottalanmiller said in Miscellaneous Tech News:

                          @stacksofplates said in Miscellaneous Tech News:

                          @scottalanmiller said in Miscellaneous Tech News:

                          @obsolesce said in Miscellaneous Tech News:

                          If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

                          Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

                          No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

                          It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

                          You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

                          You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

                          No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

                          0_1532629148200_login.png

                          blurred for obvious reasons.

                          Yeah that i can agree with 100%.

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            So you have HTTP, you DNS hijack, then you present a fake OAUTH or similar. I guess that makes sense.

                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              https://techcrunch.com/2018/07/22/the-quantum-meltdown-of-encryption/

                              1 Reply Last reply Reply Quote 0
                              • stacksofplatesS
                                stacksofplates @scottalanmiller
                                last edited by

                                @scottalanmiller said in Miscellaneous Tech News:

                                So you have HTTP, you DNS hijack, then you present a fake OAUTH or similar. I guess that makes sense.

                                Or even something "benign" like cryptomining. While not actively stealing credentials it can be an issue. Also using JS for keylogging, etc. The upstream JS stuff is more CSP but they all tie together.

                                1 Reply Last reply Reply Quote 0
                                • momurdaM
                                  momurda @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Miscellaneous Tech News:

                                  @obsolesce said in Miscellaneous Tech News:

                                  What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

                                  Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.

                                  But I see his point of present a central OAUTH and people might actually do that stupid thing.

                                  @scottalanmiller said in Miscellaneous Tech News:

                                  @obsolesce said in Miscellaneous Tech News:

                                  What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?

                                  Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.

                                  But I see his point of present a central OAUTH and people might actually do that stupid thing.

                                  I had a user who actually made a Firefox account on first day after she logged in and opened got that 'you need a firefox account' page that mozilla sends people to.

                                  1 Reply Last reply Reply Quote 0
                                  • ObsolesceO
                                    Obsolesce @Obsolesce
                                    last edited by

                                    @obsolesce said in Miscellaneous Tech News:

                                    @stacksofplates said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @stacksofplates said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @stacksofplates said in Miscellaneous Tech News:

                                    @scottalanmiller said in Miscellaneous Tech News:

                                    @obsolesce said in Miscellaneous Tech News:

                                    If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

                                    Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

                                    No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

                                    It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

                                    You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

                                    You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

                                    No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

                                    0_1532629148200_login.png

                                    blurred for obvious reasons.

                                    Yeah that i can agree with 100%.

                                    But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Obsolesce
                                      last edited by

                                      @obsolesce said in Miscellaneous Tech News:

                                      @obsolesce said in Miscellaneous Tech News:

                                      @stacksofplates said in Miscellaneous Tech News:

                                      @scottalanmiller said in Miscellaneous Tech News:

                                      @stacksofplates said in Miscellaneous Tech News:

                                      @scottalanmiller said in Miscellaneous Tech News:

                                      @stacksofplates said in Miscellaneous Tech News:

                                      @scottalanmiller said in Miscellaneous Tech News:

                                      @obsolesce said in Miscellaneous Tech News:

                                      If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

                                      Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

                                      No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

                                      It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

                                      You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

                                      You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

                                      No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

                                      0_1532629148200_login.png

                                      blurred for obvious reasons.

                                      Yeah that i can agree with 100%.

                                      But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.

                                      Correct. You need HSTS as well. And even then, it's only partial protection.

                                      ObsolesceO 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        One could argue that having HTTPS in this authoritative way from Google is meant to produce fake "warm and fuzzies" that make people stop paying attention and assume all is well and ignore risks that might still be there.

                                        1 Reply Last reply Reply Quote 0
                                        • ObsolesceO
                                          Obsolesce @scottalanmiller
                                          last edited by Obsolesce

                                          @scottalanmiller said in Miscellaneous Tech News:

                                          @obsolesce said in Miscellaneous Tech News:

                                          @obsolesce said in Miscellaneous Tech News:

                                          @stacksofplates said in Miscellaneous Tech News:

                                          @scottalanmiller said in Miscellaneous Tech News:

                                          @stacksofplates said in Miscellaneous Tech News:

                                          @scottalanmiller said in Miscellaneous Tech News:

                                          @stacksofplates said in Miscellaneous Tech News:

                                          @scottalanmiller said in Miscellaneous Tech News:

                                          @obsolesce said in Miscellaneous Tech News:

                                          If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.

                                          Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.

                                          No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.

                                          It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?

                                          You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.

                                          You're saying they will sign in, just automatically, without having any reason or clue what the site is about?

                                          No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.

                                          0_1532629148200_login.png

                                          blurred for obvious reasons.

                                          Yeah that i can agree with 100%.

                                          But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.

                                          Correct. You need HSTS as well. And even then, it's only partial protection.

                                          Yeah, the benefit of using HTTPS is when legit websites use it to encrypt the transmission sensitive information, not for security purposes IMO.

                                          1 Reply Last reply Reply Quote 1
                                          • KellyK
                                            Kelly
                                            last edited by

                                            I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.

                                            ObsolesceO 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 372
                                            • 373
                                            • 2 / 373
                                            • First post
                                              Last post