Miscellaneous Tech News
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
All blogs I know have logins.
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
I do not even have an account there?
That's not how oauth works.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
If you present people with real looking OAUTH forms to sign in with gmail or whatever, people will log in. Just like in the sentence above, they don't pay attention. DNS hijacking isn't just for redirecting the whole site. I'm talking also about things like redirecting JS embedded in the page.
That's fine, but I'm talking about pages where none of that can apply.
You can't guarantee none of that will apply because you can't guarantee what the end user will see over plain text. That's the whole point.
Let's use a real example... your blog is static html, yes? No login forms? Even so, lets pretend there isn't.
All blogs I know have logins.
Still, that's besides the point. Even so, why woudl i attempt to log in to HIS blog, knowing i do not have an account there?
-
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
-
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people
mightwill actually do that stupid thing.FTFY
-
@scottalanmiller said in Miscellaneous Tech News:
But I see his point of present a central OAUTH and people might actually do that stupid thing.
Yeah, I get the oauth thing, I wasn't referring tot hat.
-
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
-
So you have HTTP, you DNS hijack, then you present a fake OAUTH or similar. I guess that makes sense.
-
-
@scottalanmiller said in Miscellaneous Tech News:
So you have HTTP, you DNS hijack, then you present a fake OAUTH or similar. I guess that makes sense.
Or even something "benign" like cryptomining. While not actively stealing credentials it can be an issue. Also using JS for keylogging, etc. The upstream JS stuff is more CSP but they all tie together.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
What if I browse to your blog, but my DNS is hijacked, and then suddenly I'm on your blog website, but now I see a login form. Why the hell woudl I attempt to log in to your blog, knowing I do not even have an account there?
Exactly, that's my feeling. If I don't have an account somewhere, and the site is not one that would have a purpose for logging into it, it seems far fetched that people will log in anyway. Even "legit" sites would use that for data harvesting if that was really how people behaved.
But I see his point of present a central OAUTH and people might actually do that stupid thing.
I had a user who actually made a Firefox account on first day after she logged in and opened got that 'you need a firefox account' page that mozilla sends people to.
-
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
-
@obsolesce said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
Correct. You need HSTS as well. And even then, it's only partial protection.
-
One could argue that having HTTPS in this authoritative way from Google is meant to produce fake "warm and fuzzies" that make people stop paying attention and assume all is well and ignore risks that might still be there.
-
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@obsolesce said in Miscellaneous Tech News:
If I hijacked your DNS and redirected wellsfargo.com to my own server, and presented you with http://wellsfargo.com (non-https), perhaps you'd notice the non-https warning in Chrome, perhaps not, and you'd enter your credentials.
Sure, but what if you hijacked a site that does NOT have a reason for you to log in? Your example requires that the site have had a login in the past to make sense. Do it for a brochure site and think about how silly this is as a risk.
No it doesn't. If you click a link to a site you've never been to, how would you know if it's had a login form before? That makes no sense.
It doesn't matter if you know or not, you would know that you had no login, and you'd have no reason to log in. Why would you go to a fake site that has no purpose for a login, and create an account?
You clearly didn't read my response above. If you present people with a real OAUTH login form, people will sign in. It literally takes one person out of how many for this to be proven false.
You're saying they will sign in, just automatically, without having any reason or clue what the site is about?
No. I'm saying people will do it without thinking. If they see this on a page whether it has anything to do with the site or not, you will have people who will log in. Again, it only takes one person to do this for it to be effective.
blurred for obvious reasons.
Yeah that i can agree with 100%.
But even using https doesn't protect against that. Http or https... it doesn't matter, if someone's DNS is hijacked, they get the non-https warning in Chrome, and then they are presented with that fake oauth thing, they'll still log in.
Correct. You need HSTS as well. And even then, it's only partial protection.
Yeah, the benefit of using HTTPS is when legit websites use it to encrypt the transmission sensitive information, not for security purposes IMO.
-
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
-
@kelly said in Miscellaneous Tech News:
I'd like to have all my traffic encrypted so that the service providers that handle it along the way cannot perform analytics on me other than my source and destination.
That what a VPN is for, like FrootVPN.