Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : I reported the passkkey (and password) bug privately to Apple in the summer of 2023. Even after providing a near endless amount of screenshots and other proof, Apple said it's a wontfix.</p><p>The basic issue is that, if the user does not use biometrics to unlock their iPhone or iPad, they are NOT asked to enter their (screen unlock) passcode to use passwords from iCloud keychain.</p><p>IMO that on itself is already insane (considering [1]). Many people do not use biometrics.</p><p>If no bio is used (and even if it is) there are specific circumstances where someone with access to an unlocked iDevice (think of children) can use passkeys without any local authentication.</p><p>Just tested using iOS v18.3: with my iPhone unlocked, I can log in to <a href="https://icloud.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">icloud.com</span><span class="invisible"></span></a> and (fixed URL 20:48 UTC) <a href="https://account.apple.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">account.apple.com</span><span class="invisible"></span></a> using the passkey on my iPhone WITHOUT providing any credentials.</p><p>If <span class="h-card" translate="no"><a href="https://hachyderm.io/@rmondello" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rmondello</span></a></span> reads this: thank you for adding the Safari "Not Secure Connection Warning"!</p><p>Even if it not enabled by default, this http warning should help protect against EvilTwin attacks (such as described in <a href="https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/australian-charged-for-evil-twin-wifi-attack-on-plane/</span></a>).</p><p>[1] See WSJ's Joanna Stern in <a href="https://youtube.com/watch?v=QUYODQB_2wQ" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtube.com/watch?v=QUYODQB_2wQ</span><span class="invisible"></span></a> and <a href="https://youtube.com/watch?v=tCfb9Wizq9Q" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtube.com/watch?v=tCfb9Wizq9Q</span><span class="invisible"></span></a>. And no, I do not believe that Stolen Device Protection is a good idea. Most people will not use it.</p><p><span class="h-card" translate="no"><a href="https://nrw.social/@roman78" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>roman78</span></a></span> </p><p><a href="https://infosec.exchange/tags/httpsOnly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsOnly</span></a> <a href="https://infosec.exchange/tags/httpWarning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWarning</span></a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/iCloudKeychain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iCloudKeychain</span></a> <a href="https://infosec.exchange/tags/Biometrics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Biometrics</span></a> <a href="https://infosec.exchange/tags/StolenDeviceProtection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StolenDeviceProtection</span></a></p>
Recent searches
No recent searches
Search options
Not available on writing.exchange.
writing.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
A small, intentional community for poets, authors, and every kind of writer.
Administered by:
Server stats:
346active users
writing.exchange: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.6
#httpwarning
0 posts · 0 participants · 0 posts today
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : ik was al bezig met dit te schrijven:</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : het is een nieuwe instelling in Safari - die standaard *UIT* staat.</p><p>Onderstaande foto's zijn van de iPhone van mijn vriendin. Hoewel "Automatische updates" aan staat, is de laatste update (en mogelijk méér dan één) niet automatisch geïnstalleerd. Haar iPhone zat nog op iOS v18.1.1 en daar heeft Safari die instelling nog niet.</p><p>Zojuist geüpdated (wat een k-woord) naar v18.3.</p><p>Ook op haar iPad Pro, die niet verder wil updaten dan iPadOS v16.7.10, heeft Safari die instelling (helaas) niet. Hopelijk komt dat mee met de eerstvolgende update voor een ernstige kwetsbaarheid.</p><p><a href="https://infosec.exchange/tags/Safari" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Safari</span></a> <a href="https://infosec.exchange/tags/httpsOnly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsOnly</span></a> <a href="https://infosec.exchange/tags/httpWaarschuwing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWaarschuwing</span></a> <a href="https://infosec.exchange/tags/httpWarning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWarning</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPadOS</span></a> <a href="https://infosec.exchange/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPhone</span></a> <a href="https://infosec.exchange/tags/iPad" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPad</span></a> <a href="https://infosec.exchange/tags/iOSv18_3" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOSv18_3</span></a> <a href="https://infosec.exchange/tags/iOSv18_1_1" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOSv18_1_1</span></a> <a href="https://infosec.exchange/tags/iOSv18_2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOSv18_2</span></a> <a href="https://infosec.exchange/tags/AutomaticUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AutomaticUpdates</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : die "nuance" klopt dus niet als de eerdergenoemde instelling UIT staat.</p><p>Als je dan <a href="http://gemeente.amsterdam" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">gemeente.amsterdam</span><span class="invisible"></span></a> opent, krijg je GEEN waarschuwing - omdat er slechts *kortstondig* sprake is van een http-verbinding.</p><p>Voor een aanvaller (bijv. met een "Evil Twin" accesspoint) is dat voldoende om de browser naar een *andere* server, die wel https ondersteunt, door te sturen. De gebruiker ziet dan geen enkele waarschuwing - maar kijkt wel naar een nepwesite.</p><p>Vandaar dat ik destijds o.a. "werk.nl" geshamed heb (<a href="https://security.nl/posting/803597" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/803597</span><span class="invisible"></span></a> - gefixed dankzij mijn lawaai, zie <a href="https://security.nl/posting/807153" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/807153</span><span class="invisible"></span></a>).</p><p><a href="https://infosec.exchange/tags/EvilTwin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EvilTwin</span></a> <a href="https://infosec.exchange/tags/PublicWiFi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PublicWiFi</span></a> <a href="https://infosec.exchange/tags/FakeAccessPoint" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeAccessPoint</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/httpWarning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWarning</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@thomasbosboom" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>thomasbosboom</span></a></span> : Top, dank je wel! Heb ik daar al die tijd overheen gekeken, of is deze instelling recentelijk toegevoegd?</p><p>Voor Nederlandstalige iOS/iPadOS gebruikers: zie de plaatjes hieronder. Nb. er staat veel info onder de Alt knop, vooral bij het tweede plaatje (onderaan beschrijf ik een nieuw security-risico).</p><p>LET OP: als u op "Ga door" klikt, wordt de http-verbinding gemaakt. Let daarna, vooral op openbare WiFi, heel goed op de domeinnaam (in de adresbalk van Safari) waar je uiteindelijk op terechtkomt!</p><p>Nogmaals als test, twee websites:</p><p>1) <a href="http://gemeente.amsterdam" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">gemeente.amsterdam</span><span class="invisible"></span></a></p><p>2) <a href="http://http.badssl.com" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">http.badssl.com</span><span class="invisible"></span></a></p><p>Als de eerste u, *zonder* waarschuwing, doorstuurt naar een andere website, let er dan goed op dat dit <a href="https://amsterdam.nl" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">amsterdam.nl</span><span class="invisible"></span></a> is (zonder waarschuwingen) en niet een *andere* domeinnaam!</p><p>Als u de instelling maakt zoals hieronder getoond, hoort Safari u te waarschuwen (alleen de eerste keer dat u <a href="http://gemeente.amsterdam" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">http://</span><span class="">gemeente.amsterdam</span><span class="invisible"></span></a> opent). Zo te zien "vergeet" Safari uw akkoord gaan met http voor een specifieke website zodra u Safari sluit (door deze, in iets verkeinde toestand, van het scherm te vegen).</p><p>Als de tweede link u een rood scherm laat zien, staat de instelling (nog) niet goed - tenzij u diezelfde site al eerder geopend hebt (en sindsdien Safari niet hebt gesloten en heropend).</p><p>Nb. in Edge, Firefox en Firefox Focus voor iOS/iPadOS kan ik een dergelijke instelling *helaas* nog steeds niet vinden.</p><p><a href="https://infosec.exchange/tags/Safari" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Safari</span></a> <a href="https://infosec.exchange/tags/iOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iOS</span></a> <a href="https://infosec.exchange/tags/iPadOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>iPadOS</span></a> <a href="https://infosec.exchange/tags/httpsOnly" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpsOnly</span></a> <a href="https://infosec.exchange/tags/httpWaarschuwing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWaarschuwing</span></a> <a href="https://infosec.exchange/tags/httpWarning" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpWarning</span></a> <a href="https://infosec.exchange/tags/httpEntwarnung" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>httpEntwarnung</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload