Yellow Flag at 🏠 @WPalant@infosec.exchange

@0xmrtn But only if you don't want to sleep yourself of course. 😜

For reference: that's a major antivirus vendor. And there is a very obvious correct way to do this. In fact, I think it's the first time I see somebody mess this up.

The code below is from a browser extension. Question: what does it do when executed in Firefox?

let script = document.createElement("script");
script.src = "chrome-extension://" + chrome.runtime.id + "/app/scripts/" + fileName;
head.appendChild(script);

Note that even the privacy policy on Firefox Add-ons doesn't mention why you need to generate a UUID for each user and send it along with each database update (not merely telemetry requests). Nor does it explain the impact of that telemetry setting.

Hi @Malwarebytes@twitter.com, do you have a proper privacy policy for your Browser Guard extension? The one under https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/privacy/ is unformatted, so it is unreadable (yes, formatting is supported here). And the link from Chrome Web Store is generic info, not for the extension.

@leip4Ier Sure, these experiments suffer from human assumptions. All the more reason to doubt a video which shows these very human assumptions validated. 😜

@leip4Ier I'm only half believing what I see there. Supposedly, cats cannot recognize themselves in a mirror, much less try to find their ears. So I wouldn't be surprised if the whole thing was staged somehow. But it's really fun to watch.

@leip4Ier That doesn't apply to all cats it seems, at least not to this one: https://twitter.com/Pandamoanimum/status/1283753313134149633

@jiefk Yes, so far Riot still shows most potential despite the shortcomings. And I'm explicitly not saying "Matrix" because as of now there is no real selection of usable and secure clients.

Will continue looking but I have little hope to still find a good Signal replacement.

@jr Mind you, I'm not blaming the devs. I've been there myself, I know exactly how this happens. Doesn't mean that I have a simple answer. There is a reason why mature projects don't let developers design user interfaces.

@jr It's not really an isolated incident. It's a general symptom of a UI which wasn't designed with less knowledgeable users in mind. And opening issues only gets you so far...

@jr Yes, that for example. When registering I had to enter a user name and select a server, yet it expected me to compose a Jabber ID myself when logging in. And it genuinely confused me when I tried to join a channel, I didn't realize that channel IDs were composed in the same way.

Maybe #Conversations and its forks are good #XMPP clients. From what I've read there should be solid end-to-end encryption enabled by default. But it's only one client on one platform. And other clients have wildly inconsistent encryption support, same issue as with #Matrix.

I did not bother installing #Psi/Psi+ any more. These messengers still try hard to imitate the ICQ client as well as contemporary IRC clients. Judging by discussions, encryption is not only not default, there are issues enabling it at all. Encrypting files is unsupported.

Next one was #Dino which looks better but expects knowledge of things like #XMPP identifiers without providing any explanation when something is wrong (yes, version 0.1). Here as well, encryption isn't the default. At least the discussions are younger. https://github.com/dino/dino/issues/844

I started looking into #XMPP clients with end-to-end-encryption support. First one was #Gajim, with its "charming" 90s messenger style. Encryption isn't the default here however, no progress on the corresponding issue. https://dev.gajim.org/gajim/gajim-plugins/-/issues/319

A lengthy and very detailed blog post by Matthew Green on why #Signal PINs are problematic: https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/

Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.

That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.

https://git.jami.net/savoirfairelinux/ring-project/wikis/tutorials/Frequently-Asked-Questions#when-do-public-ips-get-exposed

And not just that, these nodes (presumably run by the #Jami project) can see who is talking to whom as they deliver messages.

What if NSA or somebody else decided to run a dozen nodes? How much of the network graph would they see this way?