usability – SSL and internet security news

Hiding Vulnerabilities in Source Code

November 1, 2021 infossl

academic papers, operating systems, security engineering, Security technology, steganography, Uncategorized, usability, vulnerabilities

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about. From Ross Anderson’s blog: We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see … Read More “Hiding Vulnerabilities in Source Code” »

SIM Hijacking

January 21, 2020 infossl

academicpapers, authentication, cellphones, fraud, Security technology, simcards, smartphones, usability

SIM hijacking — or SIM swapping — is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. … Read More “SIM Hijacking” »

Lessons Learned Trying to Secure Congressional Campaigns

June 5, 2019 infossl

computersecurity, riskassessment, risks, Security technology, securityawareness, securityeducation, socialmedia, twofactorauthentication, usability, voting

Really interesting first-hand experience from Maciej Cegłowski. Powered by WPeMatico

Good Primer on Two-Factor Authentication Security

August 22, 2018 infossl

authentication, Security technology, twofactorauthentication, usability

Stuart Schechter published a good primer on the security issues surrounding two-factor authentication. While it’s often an important security measure, it’s not a panacea. Stuart discusses the usability and security issues that you have to think about before deploying the system. Powered by WPeMatico

Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill

June 20, 2018 infossl

apple, authentication, banking, ios, Security technology, sms, twofactorauthentication, usability

Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them. Sounds like a really good idea, but Andreas Gutmann points … Read More “Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill” »

Password Masking

July 19, 2017 infossl

internetofthings, passwords, Security technology, usability

Slashdot asks if password masking — replacing password characters with asterisks as you type them — is on the way out. I don’t know if that’s true, but I would be happy to see it go. Shoulder surfing, the threat is defends against, is largely nonexistent. And it is becoming harder to type in passwords … Read More “Password Masking” »

WhatsApp Security Vulnerability

January 17, 2017 infossl

backdoors, encryption, facebook, Security technology, signal, usability, vulnerabilities, whatsapp

Back in March, Rolf Weber wrote about a potential vulnerability in the WhatsApp protocol that would allow Facebook to defeat perfect forward secrecy by forcibly change users’ keys, allowing it — or more likely, the government — to eavesdrop on encrypted messages. It seems that this vulnerability is real: WhatsApp has the ability to force … Read More “WhatsApp Security Vulnerability” »

The Pro-PGP Position

December 22, 2016 infossl

email, encryption, pgp, Security technology, usability

A few days ago, I blogged an excellent essay by Filippo Valsorda on why he’s giving up on PGP. Neal Walkfield wrote a good rebuttal. I am on Valsorda’s side. I don’t like PGP, and I use it as little as possible. If I want to communicate securely with someone, I use Signal. Powered by … Read More “The Pro-PGP Position” »

Giving Up on PGP

December 16, 2016 infossl

email, encryption, pgp, Security technology, usability

Filippo Valsorda wrote an exellent essay on why he’s giving up on PGP. I have long believed PGP to be more trouble than it is worth. It’s hard to use correctly, and easy to get wrong. More generally, e-mail is inherently difficult to secure because of all the different things we ask of it and … Read More “Giving Up on PGP” »

Security Design: Stop Trying to Fix the User

October 3, 2016 infossl

essays, passwords, Security technology, securityengineering, usability, usb

Every few years, a researcher replicates a security study by littering USB sticks around an organization’s grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get … Read More “Security Design: Stop Trying to Fix the User” »