Show newer

As @albinowax@twitter.com points out, Transfer-Encoding is indeed forbidden. While I’ve seen the relevant spec section (8.1.2.2), I initially interpreted it as only relevant for HTTP/1.1 to HTTP/2 transition. This is actually not the case.

Show thread

Similarly, the spec lists restrictions for the Content-Length header but ignores the similarly problematic Transfer-Encoding header. In fact, straight out disallowing both might have been the better option.

Show thread

Having gone more thoroughly through the spec (thanks @x_cli): yes, HTTP/2 spec does have rules to make conversion from HTTP/2 to HTTP/1.1 safer. In some cases these rules were ignored, but sometimes these were just not strict enough. E.g. allowing both :authority and Host headers is a bad idea.

Show thread

This is some fancy stuff. Strictly speaking, these aren’t issues in the HTTP/2 protocol. However, with many websites using HTTP/1.1 for their backend communication, the translation from HTTP/2 to HTTP/1.1 becomes a major source of vulnerabilities due to insufficient validation.

portswigger.net/research/http2

Never mind that there is no solution for communication between email servers, this one inherently relies on STARTTLS. Not that there ever was a scalable solution for downgrade attacks here…

Show thread

So STARTTLS is prone to security vulnerabilities. Yet when I was setting up my email server the recommendations were to drop port 465 for TLS-only email submission (messy history) and rather use STARTTLS on port 587. Guess these recommendations need an update. 😒

nostarttls.secvuln.info/

IMHO, the real solution is not merely removing PII but getting rid of all user identifiers. Even a random and anonymous identifier allows connecting data points into a profile of an individual user who can then be deanonymized. But mere data points are less valuable of course.

Show thread

An older article of mine has been circulating again lately. This real-world scenario shows clearly: the focus on PII (or lack thereof) in collected data is misguided. Given a large enough stash of data, it will often be possible to identify people.

palant.info/2020/02/18/insight

Oh, and one organization considered it a good idea to publish my email address in their security bulletin after I reported a vulnerability to them. Way to go for a security product!

Show thread

I have hundreds of email addresses, yet almost none of them have ever received spam. Some organizations held onto the email addresses longer than they were supposed to, a few were hacked. But I don’t think any of my email addresses were ever sold to third parties. Surprising.

Show thread

One of the conclusions of this Blackhat talk:

“Very few companies transferred our personal information in ways that we can confirm”

Yes, it’s the same conclusion here after using a unique email address for each communication partner for several years.

i.blackhat.com/USA21/Wednesday

I rarely recommend browser extensions, but Alt or Not is very simple and secure. This extension enhances Twitter by making image descriptions for visually impaired people visible, and it makes sure you don’t forget them in your own tweets.

abitofaccess.com/alt-or-not

npm reminds me to enable 2FA on my account. Which is a valid reminder, but it raises a question: why do I have this account in the first place? Past Wladimir from 2018 didn’t bother leaving a note what this account was for.

Well, account deleted. Perfect security and no 2FA.

“Smart contracts always do exactly what they are meant to do” they said. “Smart contracts are reliable because no pesky humans are involved” they said.

Reality: “smart contract audits take time, are not cheap, and require highly experienced auditors.”

medium.com/cryptronics/the-5-m

First-time submission to Google’s Developer Data Protection Reward Program. Looking forward to seeing how that goes, particularly given that I already published my findings and merely need Google to act.

Probably not surprising but the browser extension “Keepa – Amazon Price Tracker” is keeping close track on your shopping behavior. What makes this case particularly notable is its privacy policy which claims otherwise.

palant.info/2021/08/02/data-ex

More details in the article here. Grindr gave location data to third parties which was detailed enough to be associated with a priest and to out him as gay. Yet they keep claiming that this is “infeasible from a technical standpoint.” Yeah, sure…

vice.com/en/article/pkbxp8/gri

Show thread

Huge surprise! Yes, claims that data is being “anonymized” are usually merely a lame excuse. Given enough data, de-anonymization will often be possible. And that’s especially the case for highly sensitive data like movement profiles.

washingtonpost.com/religion/20

I finally came around to disable the store listings for my Google Search link fix extension. I’ve had no time for it for quite a while already, but I meant to fix a few bugs first. Now I just accepted that this is not going to happen.

Their autoreply mentions the “new data protection policy.” Yes, it has been merely three years. Not nearly enough time to get accustomed with it of course.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.