Wladimir Palant @WPalant@infosec.exchange

Oh, #Opera already published the extension update - they seem to have improved their turnaround times, which is great. Now if I could somehow change the extension name, it's still being listed as Easy Passwords...

Decided to do an intermediate #PfP extension release before I pile up even more changes. Interestingly, this time only the #Firefox version got published immediately. #Chrome decided to flag it for manual review, and #Opera reviews are always taking a while.

Was pleasantly surprised today by https://bugzil.la/524403 being resolved. Only to see it immediately followed up by: "Script error. Ignore." So #Firefox still won't properly protect the database of locally stored passwords, and no plans change this it seems. #cryptofail

And once again Patricia's Aas talk states: election security is all about protecting against the very people running the election. Which is why machine voting is so complicated, falsifications have to be detected (actually detected, not merely detectable) despite compromised voting machines.

https://twitter.com/pati_gallardo/status/1130879094508462080

Note to future self: yes, when opening an HTML page from disk, #Chrome absolutely won't load a web worker from a file, not even a file in the same directory. And: no, this doesn't make any sense as a security mechanism because loading same file via <script> tag works just fine.

Spent some time figuring out why extension pop-ups don't receive keyboard focus in my #Firefox test profile. Turns out, there is an undocumented focusmanager.testmode preference which you don't want to be set. I guess I used #Marionette with this profile which enabled it.

@leip4Ier I don't think that click through rate is what they are after. They rather want bloggers to link to their product. Which makes me wonder how many of the links to their site all over the web are legitimate.

Website cites statement by @hochstadt@twitter.com: "Our mission: "We started vpnMentor to offer users a really honest, committed and helpful tool when navigating VPNs and web privacy."

Mission failed?

So the specialty of #VPNMentor is apparently creative email #spam? Got a mail today trying hard to look like it was sent by an unaffiliated private person when it was clearly automated. Not the first time they did it either: http://spam.tamagothi.de/2018/10/10/quick-question/

@kashire I never checked out their app. This particular issue was in the browser extension. And it wasn't a big one - merely the response from the team is highly problematic and raises questions about their general approach to security.

@fallenhitokiri Sadly, email is broken for anything even remotely private. So crypto messengers have their place - if only we had some better choices.

So far I settled on #Signal. While being far from perfect, it does the job. #Threema has some appeal not having accounts bound to phone numbers, but with a paid-for client I'm afraid that I won't find anybody else willing to communicate through it. All other solutions I'm aware of have significant issues.

With the recent #WhatsApp security issue, many people recommend #Keybase as alternative. Personally however, I certainly prefer products that own their security issues: https://palant.de/2018/09/06/keybase-our-browser-extension-subverts-our-encryption-but-why-should-we-care/. And I'm not the only one who made such experience with the Keybase team. #infosec

Finally removed #Edge support (many workarounds for long-standing bugs) from #PfP, I was never able to publish anything in the Microsoft Store anyway - blocked by some special review for browser extensions which never completed. Maybe with the Chrome-base Edge it will be easier.

Today I finally tried the naive approach and who would have thought: replacing textarea value from the input event produces no visible effects whatsoever! So I got rid of an 800+ lines third-party dependency and simplified my own code at the same time... #LessonLearned

A while ago I was looking for a library to do formatted input for #PfP. Most solutions would introduce an annoyance: original input replaced by formatted after a delay. So back then I settled on a library that reimplemented browser's input processing to avoid this effect.

Realized today that ES6 modules support in #Node.js is rather new and hardly usable. Somehow I'm expecting of a JS environment to be ahead of browsers and forget that it is merely an outdated version of Chrome's JS engine.

Wrote a quick&dirty script to ensure that IDs and class names in my #Vue.js components are good for something, so typos here will be caught now. The remaining challenge is validating component properties, the #ESLint plugin won't catch typos there. Wonder how I could do that?

So the mystery of updates hanging occasionally at 99% on #Ubuntu turned out to be #needrestart running in the headless update process and expecting user input. I uninstalled needrestart now which should solve this issue.

And while I didn't really intend to have functional changes with such a huge commit, for some things it simply didn't make sense to reimplement them unchanged. So many UI elements which used to be subpages are modal overlays now, with better usability and keyboard navigation.

Got over my NIH syndrome and refactored most of the #PfP user interface with #Vue.js. Things got far more modular now, the complexity was really starting to become prohibitive here.

https://github.com/palant/pfp/commit/ad4ea5554d54c3db708b2e577636d39bfad7d1e0