On the practical level, it's questionable whether any antivirus vendor is really qualified to produce that secure browser. The one I'm looking at right now certainly isn't bad, they seem to have put some serious thought into minimizing attack surface (Avast did the exact opposite). But they still have security issues which are way more obvious than what you can expect to find in modern mainstream browsers.
@WPalant but node.js is single-threaded and there's no way to spawn another thread, only another process
Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata. #privacy
This is merely the most recent example. Just because people are in the security software business, it doesn't mean that they will make good choices for the security architecture of their product. Or that they will care about the security of their product and their users at all...
The Yahoo/AOL account recovery works like this: you type in a phone number, receive an SMS and are then granted access to any accounts associated with this number. Including the previous owner of that number or people who typed in a random phone number and never verified.
Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.
Want do use #jQuery for a new project? Don't, it makes writing secure code unnecessarily complicated. In fact, you should look for a way to get rid of it in your old projects as well, or at least minimize its potential security impact. #infosec #xss
This thread demonstrates nicely why so many studies are merely confirming experimentators' expectations but do not produce any real results. Yes, getting biases out of a study setup is a complicated task, and often people won't even try.
Btw, my four years old take on the same topic, after looking into a particularly bad codebase: https://palant.de/2016/03/02/why-you-should-go-with-secure-by-default-for-your-web-application/
Wow, we have 2020 and somebody *still* has to explain that input sanitization isn't a good way to address XSS vulnerabilities. Where did the past two decades go? https://benhoyt.com/writings/dont-sanitize-do-escape/
I would actually expect a security software vendor to resolve a critical vulnerability first, pushing the one-line fix to users ASAP. Then improve on the fix later. Not bundle the fix with tons of regular changes, almost missing the deadline due to QA. Is it only me? #McAfee
Vulnerability in McAfee WebAdvisor: RCE from any website through the browser extension into the application, all the way to administrator privileges. Updates are finally available and should be installed ASAP. #McAfee #WebAdvisor #infosec #appsec
So, Microsoft's HTML Applications are still a thing in year 2020? I accidentally came across some malicious code within in HTA file, running PowerShell and .NET code via ActiveX. The assumption is apparently that users won't recognize .hta as dangerous.
Now the Firefox extension should be fixed, so I'm not dropping a zero-day tomorrow. That's quite a relief. #McAfee decided to cut it really close, despite it being a one-line fix. Meaniny: there is a lot that they could do about this issue, but so far they only changed one line.
Their not so useful security bulletin: https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS103008&_afrLoop=661821695893876
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.