"Making the legal case for breakups will be hard, though, because the internet giants don’t fit the stereotype of rapacious monopolists (emphasis added) that raise prices and squeeze investment. They manipulate markets in a different and seemingly more benevolent way. They’ve become so dominant by developing products and services that many of us want to use. And they gain their immense power through collecting data about our online activity." - via Martin Giles writing at the MIT Technology Review
via Peter Bright writing at Ars Technica, comes an interesting piece discussing the efforts to implement and deploy WebAuthn, the so-called passwordless authentican scheme promulgated by the W3C, and fully implemented in Mozilla Firefox 60 anf Google Chrome 67. Enjoy!
'This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.' via the Web Authetication Working Group
News, of the release of OpenSnitch - the GNU/ Linux port of Object Development's much beloved LittleSnitch - a native macOS Application Firewall is the big news around our locale today. As of the date of this post, OpenSnitch is in Alpha release state, with the caveat: 'Warning: This is still alpha quality software, don't rely on it (yet) for your computer security.' Additional information is available via the OpenSnitch GitHub Readme. H/T
Terrific bit of reportage by Richard Chirgwin, whilst writing at El Reg and detailing the so-called cost-benefit methodology explaining efforts underway to further protect browser bits; and, while you're at it, examine if you will the research paper mentioned in the post, quite likely one of the more interesting papers you may read today.
Via the inimitable Catalin Cimpanu, comes this tale of web-based subterfuge that should enrage all legitimate users on our vaunted interwebs. In this case, the use of hidden login fields (and their parent forms) used by evil usage trackers on seemingly legit sites. Is it any wonder that the effort to block both web advertising and the evil cousin to such: Web Trackers (both nefarious and otherwise) is a growth business in the browser addon market? Read it and Weep My Friends, for the demise of both privacy and your personal authentication data.
"The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.' - via Catalin Cimpanu writing at Bleeping Computer
Martin Brinkmann, writing at GHacks, targets the proliferation of spam extensions flooding the Mozilla Foundation's Firefox AMO Web Extension Store. Further proof of deep administrative incompetence at Mozilla Foundation, or something else? You be the judge.
"The site is abused by spammers currently who flood it with extension listings designed to get users to click on links in the description. The method that these spammers use is simple: they have copied the Chrome extension Hide My IP and use it as the extension that they upload." - via Martin Brinkmann, writing at GHacks
via gHacks author Martin Brinkmann, comes the astonishing tale of deeply flawed user data management at Mozilla Foundation. Along with the Foundation' Firefox browser Resource and Web Extension data leakage woes, now comes a highly user antagonistic decision to commence collecting user browsing data in an opt-out decision tree. Truly this weeks evidence that Blatant Stupidity still exists in the browser world.
"Mozilla's Georg Fritzsche published information on the plan to collect additional data yesterday on the Mozilla Governance group. In it, he describes the issue that Mozilla engineers face currently. While Firefox may collect the data when users opt-in, Mozilla believes that the data is biased and that only data collecting with opt-out would provide unbiased data that the engineers can work with. Questions that this data may help answer include "which top sites are users visiting", "which sites using Flash does a user encounter", and "which sites does a user see heavy Jank on" according to Fritzsche." excerpt via Martin Brinkmann writing at gHacks
Is Google Inc. aka Alphabet Inc (NasdaqGS: GOOG) complicit in the enormous numbers of fake links (of which, redirect users to false and/or fraudulent sites) in Google Maps? Of course they are, as, by definition, they own it. What's worse, the company possesses the in-built capability to police those links to protect it's users, but does not - in reality - do so.
Dr. Jaap-Henk Hoepman's security posts (via his blog), detailing his provocative yet fundamentally sound thoughts on the subject of terminating the utilization of certificates is today's absolute MustRead.
The basic idea - A few days ago I explained the idea including a mechanism to detect phishing attacks. This makes the protocol more complex, and creates confusion. So let’s try again, explaining the basic idea first. Whenever a browser sets up a new TLS connection with a domain, the web server serving that domain respond with its public key (instead of a certificate, as is currently the case) in the initial TLS handshake. (This is more precise than saying that the web server sends its public key in the header of every page it sends.)... Read more at Dr. Hoepman' blog
Meanwhile, in cruft news...
A Tale of Cruftery
First discovered by security researcher Alexander Klink, and discussed on his shift or die blog, the leakage documentation he has amassed is a tour de force in correct handling of the discovery. Mozilla's response has been a tad lackadaisical and (disappointlingly) still in telemetry data gathering mode as of this post.
Superb work by Alexander; nonetheless, he does suggest regular cleansing your browser user profile (if you are so unlucky as to be using the browser under scrutiny, yet most likely, a good idea on any browser). There are many tools available that deal with the cache cleaning task (both scripted and manual, GUI-based and not, both in-built and otherwise). Enjoy the cruft. H/T