Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
helvede.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Velkommen til Helvede, fediversets hotteste instance! Vi er en queerfeministisk server, der shitposter i den 9. cirkel. Welcome to Hell, We’re a DK-based queerfeminist server. Read our server rules!

Administered by:

Server stats:

161
active users

helvede.net: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#authentication

1 post1 participant1 post today
Public
Felix Palmen :freebsd: :c64:

Just released: #swad v0.3!

github.com/Zirias/swad/release

swad is the "Simple Web Authentication Daemon", your tiny, efficient and (almost) dependency-free solution to add #cookie + login #form #authentication to whatever your #reverse #proxy offers. It's written in pure #C, portable across #POSIX platforms. It's designed with #nginx' 'auth_request' in mind, example configurations are included.

This release brings a file-based credential checker in addition to the already existing one using #PAM. Also lots of improvements, see details in the release notes.

I finally added complete build instructions to the README.md:

github.com/Zirias/swad

And there's more documentation available: manpages as well as a fully commented example configuration file.

New features: New credential checker "file", using a password file with bcrypt hashes New tool "swadpw", for editing password files Improvements: [Performance] Support epoll, kqueue and poll in ...
GitHubRelease swad 0.3 · Zirias/swadNew features: New credential checker "file", using a password file with bcrypt hashes New tool "swadpw", for editing password files Improvements: [Performance] Support epoll, kqueue and poll in ...
Replied in thread
Public *
Brad Rubenstein “:verified: 
Mothers maiden name: 5472615884
First car owned: 3656654851
Favorite color: 2580548933

They get generated and stored in the password manager, for each account as needed.

The advantage of ten digit numbers is that they are easy to communicate to a customer service agent over the phone.

IME, no agent has ever batted an eye. It's not even lying. It's just being clear on the purpose.

@marasawr

#Passwords#SecretQuestions#Authentication
Public
Felix Palmen :freebsd: :c64:

Just released: #swad v0.2

SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.

Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.

swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:

github.com/Zirias/swad/release

New features: Configurable rate-limits for new session creation Configurable rate-limits for failed login attempts (per session, realm and user name) Configurable types of proxy headers (X-Forward...
GitHubRelease swad 0.2 · Zirias/swadNew features: Configurable rate-limits for new session creation Configurable rate-limits for failed login attempts (per session, realm and user name) Configurable types of proxy headers (X-Forward...
Public
Felix Palmen :freebsd: :c64:

Released: #swad v0.1 🥳

Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!

swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.

Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈

If you want to know more, read here:
github.com/Zirias/swad

Simple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Public
Felix Palmen :freebsd: :c64:

Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done! 🥳

Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.

I know it's kind of stubborn doing that in C, but hey, #coding it is great fun 🙈

github.com/Zirias/swad

Simple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Public *
Erik van Straten

"Franse overheid voert phishingtest uit op 2,5 miljoen leerlingen"
security.nl/posting/881630/Fra

KRANKZINNIG!

Het is meestal onmogelijk om nepberichten (e-mail, SMS, ChatApp, social media en papieren post - zie plaatje) betrouwbaar van echte te kunnen onderscheiden.

Tegen phishing en vooral nepwebsites is echter prima iets te doen, zoals ik vandaag nogmaals beschreef in security.nl/posting/881655.

(Big Tech en luie websitebeheerders willen dat niet, dus is en blijft het een enorm gevecht).

Foto van een ogenschijnlijk correctie brief verzonden door DigiD, maar hartstikke nep. De brief bevat een QR-code die je zou moeten scannen, waardoor je op een nepwebsite terecht komt. Meer info: https://infosec.exchange/@ErikvanStraten/114154631328996771 Bron van deze foto: https://www.deorkaan.nl/opgepast-digid-oplichting-per-brief/
#Phishing#NepWebsites#DV
Replied in thread
Public
Karl Voit :emacs: :orgmode:

@yacc143 FYI: #Passkeys and #FIDO2 (= "device-bound #passkey" which can be divided into "platform-" and "roaming-authenticators") are identical except the #cloud-sync mechanism (as of my current understanding).

So unfortunately, they get mixed up or are considered as totally different things. Both is wrong.

In reality, they are very similar except that FIDO2 hardware tokens ("device-bound passkeys" only in their "roaming-authenticator" variant) are designed that way, that Passkeys are not being able to extracted from the device (at least for the moment).

Therefore, users of HW tokens can't be tricked into transferring their passkey to a rogue third party, which is possible with all other Passkey variants. Therefore: passkeys are NOT #phishing-resistant in the general case.

#security#authentication#2FA
Replied to Aral Balkan
Public
Erik van Straten

@aral :

I don't want to pay a cent. Neither donate, nor via taxes.

infosec.exchange/@ErikvanStrat

@TheDutchChief @EUCommission @letsencrypt @nlnet

Screenshot from the top of https://www.virustotal.com/gui/ip-address/13.248.197.209/relations The page had already redreshed when I copied the following domain names, so this is just to get an idea: tiles-35312.bond sleepwear-14660.bond prostate-cancer-treatment-95682.bond diet-98948.bond electric-cars-94009.bond packing-jobs-44721.bond dental-implants-48408.bond mattress-19892.bond breast-reduction-mammoplasty-surgery-24489.bond dental-implants-76071.bond rv-camper-motorhomes-90728.bond roofing-services-61345.bond maid-service-26172.bond
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)Attached: 1 image @aral@mastodon.ar.al : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites. They're the ultimate manifestation of evil big tech. They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks. DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks). Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website). However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake. Decent online authentication is HARD. Get used to it instead of denying it. REASONS/EXAMPLES 🔹 Troy Hunt fell in the DV trap: https://infosec.exchange/@ErikvanStraten/114222237036021070 🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: https://infosec.exchange/@ErikvanStraten/114224682101772569 🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: https://infosec.exchange/@ErikvanStraten/114224264440704546 🔹 Stop phishing proposal: https://infosec.exchange/@ErikvanStraten/113079966331873386 🔹 Lots of reasons why LE sucks: https://infosec.exchange/@ErikvanStraten/112914047006977222 (corrected link 09:20 UTC) 🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): https://newly-registered-domains.abtdomain.com/2024-08-15-bond-newly-registered-domains-part-1/. However, this gang is still active, open the RELATIONS tab in https://www.virustotal.com/gui/ip-address/13.248.197.209/relations. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/ @EUCommission@ec.social-network.europa.eu @letsencrypt @nlnet@nlnet.nl #Authentication #Impersonation #Spoofing #Phishing #DV #GoogleIsEvil #BigTechIsEvil #Certificates #httpsVShttp #AitM #MitM #FakeWebsites #CloudflareIsEvil #bond #dotBond #Spam #Infosec #Ransomware #Banks #CloudflareIsEvil #FakeWebsites
#Authentication#Impersonation#Spoofing
Replied to Aral Balkan
Public *
Erik van Straten

@aral : most Let's Encrypt (and other Domain Validated) certificates are issued to junk- or plain criminal websites.

They're the ultimate manifestation of evil big tech.

They were introduced to encrypt the "last mile" because Internet Service Providers were replacing ads in webpages and, in the other direction, inserting fake clicks.

DV has destroyed the internet. People loose their ebank savings and companies get ransomwared; phishing is dead simple. EDIW/EUDIW will become an identity fraud disaster (because of AitM phishing atracks).

Even the name "Let's Encrypt" is wrong for a CSP: nobody needs a certificate to encrypt a connection. The primary purpose of a certificate is AUTHENTICATION (of the owner of the private key, in this case the website).

However, for human beings, just a domain name simply does not provide reliable identification information. It renders impersonation a peace of cake.

Decent online authentication is HARD. Get used to it instead of denying it.

REASONS/EXAMPLES

🔹 Troy Hunt fell in the DV trap: infosec.exchange/@ErikvanStrat

🔹 Google (and Troy Hunt!) killed non-DV certs (for profit) because of the stripe.com PoC. Now Chrome does not give you any more info than what Google argumented: infosec.exchange/@ErikvanStrat

🔹 https:⧸⧸cancel-google.com/captcha was live yesterday: infosec.exchange/@ErikvanStrat

🔹 Stop phishing proposal: infosec.exchange/@ErikvanStrat

🔹 Lots of reasons why LE sucks:
infosec.exchange/@ErikvanStrat (corrected link 09:20 UTC)

🔹 This website stopped registering junk .bond domain names, probably because there were too many every day (the last page I found): newly-registered-domains.abtdo. However, this gang is still active, open the RELATIONS tab in virustotal.com/gui/ip-address/. You have to multiply the number of LE certs by approx. 5 because they also register subdomains and don't use wildcard certs. Source: bleepingcomputer.com/news/secu

@EUCommission @letsencrypt @nlnet

Screenshot from the top of https://www.virustotal.com/gui/ip-address/13.248.197.209/relations The page had already redreshed when I copied the following domain names, so this is just to get an idea: tiles-35312.bond sleepwear-14660.bond prostate-cancer-treatment-95682.bond diet-98948.bond electric-cars-94009.bond packing-jobs-44721.bond dental-implants-48408.bond mattress-19892.bond breast-reduction-mammoplasty-surgery-24489.bond dental-implants-76071.bond rv-camper-motorhomes-90728.bond roofing-services-61345.bond maid-service-26172.bond
#Authentication#Impersonation#Spoofing
Replied in thread
Public *
Erik van Straten

@troyhunt : if we open a website that we've never visited before, we need browsers to show us all available details about that website, and warn us if such details are not available.

We also need better (readable) certificates identifying the responsible / accountable party for a website.

We have been lied to that anonymous DV certificates are a good idea *also* for websites we need to trust. It's a hoax.

Important: certificates never directly warrant the trustworthyness of a website. They're about authenticity, which includes knowing who the owner is and in which country they are located. This helps ensuring that you can sue them (or not, if in e.g. Russia) which *indirectly* makes better identifiable websites more reliable.

More info in infosec.exchange/@ErikvanStrat (see also crt.sh/?Identity=mailchimp-sso).

Note: most people do not understand certificates, like @BjornW in mastodon.social/@BjornW/114064:

@letsencrypt offers certificates to encrypt the traffic between a website & your browser.

2x wrong.

A TLS v1.3 connection is encrypted before the website sends their certificate, which is used only for *authentication* of the website (using a digital signature over unguessable secret TLS connection parameters). A cert binds the domain name to a public key, and the website proves possession of the associated private key.

However, for people a domain name simply does not suffice for reliable identification. People need more info in the certificate and it should be shown to them when it changes.

Will you please help me get this topic seriously on the public agenda?

Edited 09:15 UTC to add: tap "Alt" in the images for details.

Screenshot of https://www.virustotal.com/gui/domain/mailchimp-sso.com/relations It shows that mailchimp-sso[.]com is "hosted" (actally proxied) by Cloudflare IP-addresses.
Screenshot of https://www.virustotal.com/gui/domain/mailchimp-sso.com/details It shows that mailchimp-sso[.]com has a DV-certificate issued by "Google Trust Services".
#DVcerts#Authentication#Impersonation
Public
Felix Palmen :freebsd: :c64:

Ok HOW HARD CAN IT BE? 🤬

Currently trying to allow the #Windows machine I got from work (domain member, very much locked up, no local admin for me) in my private #wifi network (using 802.11x #authentication for #WPA with #freeradius and #PEAP using my own #samba based AD).

I don't strictly *need* it, the machine connects to my open guest wifi (mapped to a VLAN with access *only* to the internet), but it would be really nice being able to also access my local services while working at home.

What I tried:

- Just login (PEAP/MSCHAPv2), obviously. After lots of fiddling and reading logs (freeradius as well as windows events), I found some docs suggesting Windows doesn't support that any more unless you fiddle with something in HKLM, so, no dice, need something else...
- Allow EAP-TLS as well and issue a client certificate for my user, install that on windows. Doesn't work, the machine insists on using the machine cert from the machine store.
- Create a client cert with the UPN of my user in my home network in SAN ... same issue
- Create a client cert with the UPN of my *work* user in SAN ...
- Ok screw that, get freeradius to accept that stupid machine certificate: Allow the internal CA of my workplace and *only* the CN of exactly the machine certificate.

Now, it still won't work and I really don't get it, seeing stuff like:

(13) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(13) eap_tls: (TLS) TLS - send TLS 1.1 Alert, fatal protocol_version
(13) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:protocol version
(13) eap_tls: ERROR: (TLS) TLS - Server : Error in SSLv3 read client hello B

It makes little sense and all fiddling with TLS options so far didn't make it work. For other clients using PEAP, it just works with both TLS1.2 and TLS1.3. WTF is going on here?

Public
Georgiana Brummell

First, they shut down the Basic HTML site, forcing many of us to switch to clients such as Thunderbird. Now, they're using qr codes which are not only inaccessible to the blind but also to those who don't use smartphones! This is ridiculous! Yes, they do still have the option to click whether it's you trying to sign in or not (which still requires a smartphone and a carrier, which they claim to be concerned about), but how long before they remove that, too?

pcmag.com/news/google-is-repla…

#accessibility#Android#authentication
Public
Aral Balkan

New Kitten release

• Fixes redirection from sign-in page when person is already authenticated.

kitten.small-web.org

To learn more about how Kitten automatically implements authentication for your Small Web sites and apps using public-key cryptography (so even your own server doesn’t know your secret)¹, please see the Authentication tutorial:

kitten.small-web.org/tutorials

Enjoy!

:kitten:💕

¹ The security (and privacy) of Domain/Kitten are based on a 32-byte cryptographically random secret string that only the person who owns/controls a domain knows.

This is basically a Base256-encoded ed25519 secret key where the Base256 alphabet is a set of curated emoji surrogate pairs without any special modifiers chosen mainly from the animals, plants, and food groups with some exceptions (to avoid common phobias or triggers, etc.) that we call KittenMoji.

When setting up a Small Web app via Domain, this key is generated in the person’s browser, on their own computer, and is never communicated to either the Domain instance or the Kitten app being installed. Instead the ed25519 public key is sent to both and signed token authentication is used when the server needs to verify the owner’s identity (e.g., before allowing access to the administration area).

The expected/encouraged behaviour is for the person to store this secret in their password manager of choice.

More: kitten.small-web.org/reference

#Kitten#SmallWeb#SmallTech
Public
Schneier on Security RSS

Device Code Phishing

This isn’t new, but it’s increasingly popular:
The technique is known as devic... schneier.com/blog/archives/202

Schneier on Security · Device Code Phishing - Schneier on SecurityThis isn’t new, but it’s increasingly popular: The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms. Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account...
#authentication#Uncategorized#authorization
Public
Hush Line

🪳 We just fixed a bug in self-verifying URLs! Tip line owners, add a link with `rel="me"` and your Hush Line address on your website, then add that website URL to the extra fields on your Hush Line bio's extra fields. You'll receive a checkmark indicating you own or have control over the address listed, adding social proof to your profile, making it more trustworthy to people in your community!

tips.hushline.app/register

This is a screenshot of the Hush Line website, which facilitates anonymous communication. The page is titled “Submit message to Glenn Sorrentino” and includes a brief biography of Glenn Sorrentino, mentioning his role as an Executive Director at Science & Design, Inc. and his experience in cybersecurity and military service. The page provides links to his personal website, Mastodon, and Bluesky profiles. A magnified section highlights the website and Bluesky links in purple. The interface has a purple theme, with navigation options like “Directory,” “Login,” “Register,” and a “Donate” button in the top right corner. At the bottom, there are privacy policy links and a button indicating the availability of a “.onion” version for Tor users.
#whistleblower#opensource#nonprofit
Public
The Uberduck

I'm looking at setting up a bunch of self hosted services to replace our (self, family, friends) dependence on corporate cloud stuff. Email (custom, since none of the Just Add Server offerings do everything I need for free), shared drive (likely nextcloud, ugh), docs (likely collabora), jitsi for video, discourse for group forums, and so on.

I'd like to make all of this SSO, to the extent that it reasonably can be.

I'm probably going to use FreeIPA as the identity source of truth, but I'm finding that there are enough new things I need to learn about centralized authentication that I'm having a hard time finding a starting point that doesn't require a bunch of other context. So I'm asking for help.

Does anyone know of a good guide to these sorts of concepts, preferably available online? I'm familiar with most of the other Linux sysadmin concepts and have plenty of hardware and bandwidth at my disposal.

#selfhosted#selfhosting#SelfHostedApps
Public
Schneier on Security RSS

Pairwise Authentication of Humans

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.
To mitigate that risk, I have develop... schneier.com/blog/archives/202

Schneier on Security · Pairwise Authentication of Humans - Schneier on SecurityHere’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons. This is how it works: Two people, Person A and Person B, sit in front of the same computer and open this page; They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”; The page will generate two TOTP QR codes, one for Alice and one for Bob; ...
#authentication#Uncategorized#protocols
Public
Bill

A smart person looked at GitHub's auth and ouch.

flatt.tech/research/posts/clon

GMO Flatt Security Research · Clone2Leak: Your Git Credentials Belong To UsIntroduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at GMO Flatt Security Inc. In October 2024, I was hunting bugs for the GitHub Bug Bounty program. After investigating GitHub Enterprise Server for a while, I felt bored and decided to try to find bugs on GitHub Desktop instead. After reading the source code of GitHub Desktop, I found a bug that allows a malicious repository to leak the user’s credentials. Since the concept of the bug is interesting, I decided to investigate other Git-related projects and found many bugs.
#github#authentication
ExploreLive feeds
About