@MarciaBokeh@twitter.com is another #Mozilla veteran who has been laid off. I remember her being praised very high for her QA work, she is really good.
It's hard to imagine a scenario where a CSP bypass is still of value under these conditions. If anything, it helps obfuscate the attack payload, loading most of the code from another website. So this really isn't the big deal it sounded like from the description.
That's the real reason why https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/ lists some sites being vulnerable while others are "safe": all these sites allow inline scripts in their CSP. Yet if attackers can run scripts on the target domain, they already can do pretty much anything they want.
"I would consider the CharUpper and CharLower family of functions to be deprecated. Instead, use the LCMapStringEx function"
One consequence of endless backwards compatibility: over time all reasonably simple API function names will end up deprecated…
For reference: that's a major antivirus vendor. And there is a very obvious correct way to do this. In fact, I think it's the first time I see somebody mess this up.
I started looking into #XMPP clients with end-to-end-encryption support. First one was #Gajim, with its "charming" 90s messenger style. Encryption isn't the default here however, no progress on the corresponding issue. https://dev.gajim.org/gajim/gajim-plugins/-/issues/319
A lengthy and very detailed blog post by Matthew Green on why #Signal PINs are problematic: https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/
Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.
That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.
I'm not sure what percentage of user IDs you will see passing by. Another concern is however that the majority of the OpenDHT traffic appears to be originating at OVH-hosted nodes, not actual users. These should be able to associate your user ID and IP address.
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.