Collaborate Disseminate
Consider a cryptographic web application that relies on hosted JavaScript. This JavaScript could be manipulated server-side by a bad actor, defeating any cryptographic tasks. Namely:
private keys could be sent back to the s… Continue reading Does the Web Cryptography API prevent a bad server from slurping cleartext?
Typical USB tokens (Nitrokey, YubiKey…) allow an everyday user to store PGP keys and use them to encrypt email, harddrives and so on.
The same vendors also offer distinct products called HSMs (Nitrokey HSM, YubiHSM). The suggested use c… Continue reading Why is an HSM required to protect CA certificates (rather than a regular USB token)?
There are multiple mechanisms (some now defunct) that allow me to access service A (the Relying Party / RP) using a token granted by service B (the Identity Provider / IdP). Typically these replace a username-and-password log… Continue reading Can an identity provider impersonate me? (Can Facebook post Stack Overflow questions under my name?)
In discussions around the ongoing transition from X.org to Wayland, I regularly come across comments along the lines of “Linux security is not there yet”. This refers to Wayland’s promise of better (but not perfect) desktop i… Continue reading Do any non-GNU/Linux display managers provide the same isolation as Wayland?
I have been using an SSD with no system-level encryption. If I now switch to full disk encryption using LUKS + LVM, do I effectively wipe the old data, or is it still hanging around until overwritten?
Continue reading If I switch to LUKS on an SSD, have I just wiped it?
Given an ext4 harddrive (not SSD) with no files, is running
sudo shred -n1 /dev/sda
# one pass, no zeroes, over whole drive
demonstrably less reliable than using Bleachbit’s “Wipe free disk space” tool on the same location… Continue reading Is shred -n1 /dev/sda demonstrably worse than Bleachbit?
I recently read about OpenGPG cards, hardware tokens that support authentication and encryption. They are usually smartcard-based, but USB-based tokens also exist (for example, Nitrokey and YubiKey).
My laptop has an “SD-MMC… Continue reading Is there an OpenGPG hardware token for an SD-MMC slot? [on hold]
A traditional antivirus scans data at rest and data in transit for known virus signatures. (Where “virus” includes trojans, rootkits, et al.)
This does not help when defending against zero-days and active intrusions. By defi… Continue reading What do you call an antivirus that detects suspicious activity?
I want to test that the connection from my local machine to my VPN is set up correctly, specifically that I do not have DNS leaks.
I am aware of web-based tools like dnsleaktest.com but they aren’t suitable for repeated and/… Continue reading Can I perform a local test for DNS leaking?
After Heartbleed was announced, a number of tests popped up that let me test if a server I was connecting to was patched, unpatched or unknown. For example, https://filippo.io/Heartbleed/
Is such a test possible for KRACK? I… Continue reading Is there a test for KRACK (devices and routers)?