mastodontech.de ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Offen für alle (über 16) und bereitgestellt von Markus'Blog

Serverstatistik:

1,4 Tsd.
aktive Profile

#cryptoapi

0 Beiträge0 Beteiligte0 Beiträge heute
Antwortete im Thread

@marjolica @utf_7 @dashjackson @froge @arstechnica It'll impact any application that uses #Windows' #CryptoAPI and doesn't come with it's own #Encryption Library and #CertificateManagment.

Needless to say all #Chromium variants and #IE / #Edge are vulnerable to this #Backdoor which exists since at least #WindowsXP to this day!

  • Thus consider said #OS inherently unsafe!
Antwortete im Thread

@GossiTheDog @signalapp it merely prevents #Screenshots by claiming it's #DRM'd content.

The correct solution for #Signal would be to alert all their users and specifically block #Windows in general or at least #Windows11 simply because it is a #Govware and empirically cannot be made private or secure.

But that would require them to actually give a shit, which thed don't, cuz otherwise they would've stopped demanding #PII like a #PhoneNumber and moved out of juristiction of #CloudAct.

  • I mean, what's gonna prevent the #Trump-Regime from threatening @Mer__edith et. al. with lifetime in jail for not kicking the #ICC (or anyone else he and his fans dislike) from #Signal's infrastructure?

Since they are highly centralized.they certainly are capable to comply with "#Sanctions" (or whatever bs he'll claim!)...

Fixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefae...
GitHubGitHub - kkarhan/windows-ca-backdoor-fix: Fixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefaehrden-SSL-Verschluesselung-2317589.htmlFixes a critical backdoor in Windows' CryptoAPI, which allows to unconsenting Update of CA Certificates in the background. See https://www.heise.de/ct/ausgabe/2013-17-Zweifelhafte-Updates-gefae...
Antwortete im Thread

@gborn @MichaelD @Bundesligatrainer @Ihazchaos nein, eben nicht.

Dass #Windows10 [und besonders #Windows11] nicht #DSGVO- & #BDSG-konform sein können ist evidenzierte Tatsache und ich habe noch keine*n Anwält*in gesehen die etwas anderes behaupten und dafür im Zweifelsfalle auch die #Haftung übernehmen würden.

  • Wohingegen ich mir sicher bin dass @SUSE & @ubuntu mir im Zweifelsfalle sogar ne #Versicherung der #Compliance ab Werk anbieten würden, was #Microsoft aufgrund von #CloudAct inhärent nicht kann!

  • Außerdem verbietet sich das Procurement von Anbietern die in "illegaler Agententätigkeit" [u.a. #PRISM] involviert sind (!!!) schon aus oberflächlicher due diligence...

Von einfach ausnutzbaren #Govware - #Backdoors in der #CryptoAPI unter #Windows hab ich noch garnicht angefangen!

"Encryption at Rest" for JavaScript Projects

Following a previous post (infosec.exchange/@xoron/113446), which can be summarized as: I'm tackling state management with an extra twist: integrating encryption at rest!

I created some updates to the WIP pull-request. The behavior is as follows.

- The user is prompted for a password if one isn't provided programmatically.
- This will allow for developers to create a custom password prompts in their application. The default fallback is to use a JavaScript prompt().
- It also seems possible to enable something like "fingerprint/face encryption" for some devices using the webauthn api. (This works, but the functionality is a bit flaky and needs to be fixed before rolling out.)
- Using AES-GCM with 1000000 iterations of PBKDF2 to derive the key from the password.
- The iterations can be increased in exchange for slower performance. It isn't currently configurable, but it might be in the future.
- The salt and AAD need to be deterministic and so to simplify user input, the salt as AAD are derived as the sha256 hash of the password. (Is this a good idea?)

The latest version of the code can be seen in the PR: github.com/positive-intentions

I'm keen to get feedback on the approach and the implementation before i merge it into the main branch.

Infosec Exchangexoron :verified: (@xoron@infosec.exchange)"Encryption at Rest" for JavaScript Projects I'm developing a JavaScript UI framework for personal projects, and I'm tackling state management with an extra twist: integrating encryption at rest! Inspired by this React Hook: Async State Management (https://positive-intentions.com/blog/async-state-management), I’m extending it to support encrypted persistent data. Here's how: ✨ The Approach: Using IndexedDB for storage. Data is encrypted before saving and decrypted when loading using the Browser Cryptography API. Event listeners will also be encrypted/decrypted to avoid issues like browser extensions snooping on events. The password (should never be stored) is entered by the user at runtime to decrypt the data. (Currently hardcoded for now!) The salt will be stored unencrypted in IndexedDB to generate the key. 🔗 Proof of Concept: You can try it out here: GitHub PR (https://github.com/positive-intentions/dim/pull/8). Clone or run it in Codespaces and let me know what you think! ❓ Looking for Feedback: Have I missed anything? Are there better ways to make this storage secure? Let's make secure web UIs a reality together! 🔒 #JavaScript #Encryption #IndexedDB #WebDevelopment #CryptoAPI #FrontendDev #ReactHooks #StateManagement #WebSecurity #OpenSource #PersonalProjects

"Encryption at Rest" for JavaScript Projects

I'm developing a JavaScript UI framework for personal projects, and I'm tackling state management with an extra twist: integrating encryption at rest!

Inspired by this React Hook: Async State Management (positive-intentions.com/blog/a), I’m extending it to support encrypted persistent data. Here's how:

✨ The Approach:

Using IndexedDB for storage.

Data is encrypted before saving and decrypted when loading using the Browser Cryptography API.

Event listeners will also be encrypted/decrypted to avoid issues like browser extensions snooping on events.

The password (should never be stored) is entered by the user at runtime to decrypt the data. (Currently hardcoded for now!)

The salt will be stored unencrypted in IndexedDB to generate the key.

🔗 Proof of Concept:
You can try it out here: GitHub PR (github.com/positive-intentions). Clone or run it in Codespaces and let me know what you think!

❓ Looking for Feedback:
Have I missed anything? Are there better ways to make this storage secure?

Let's make secure web UIs a reality together! 🔒

positive-intentions.com · Dim: Async State Management | positive-intentionsI'm working on creating something I can call "functional web components".