Konto erstellenAnmelden

Frühere Suchanfragen

Keine früheren Suchanfragen

Suchoptionen

Nur verfügbar, wenn angemeldet.
nrw.social ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Wir sind eine freundliche Mastodon Instanz aus Nordrhein-Westfalen. Ob NRW'ler oder NRW-Sympathifanten, jeder ist hier willkommen.

Verwaltet von:

Serverstatistik:

2,9 Tsd.
aktive Profile

nrw.social: ÜberStatusProfilverzeichnisImpressum/Datenschutz

Mastodon: ÜberApp herunterladenTastenkombinationenQuellcode anzeigenv4.3.7

#HSTS

0 Beiträge0 Beteiligte0 Beiträge heute
Öffentlich
Erik van Straten

CyberSecurity / Kapitalisme+SnelGeld

Hoeveel cybersecurity-professionals zouden er (net als ik) afgebrand thuiszitten? Uitgeput van het trekken aan dode paarden?

Terwijl Mark Rutte geld voor meer dan Duizend-Bommen-En-Granaten vraagt, verkeert onze digitale veiligheid in een DEPLORABELE toestand (waarbij steeds meer van uw gegevens digitaal worden verzameld). Ook Nederland kan waarschijnlijk NIS2-boetes van de EU tegemoet zien - terwijl het grote publiek daar géén idee van heeft.

🔸 "Nederland voert NIS2-richtlijn naar verwachting derde kwartaal 2025 in
[...]
Daarmee wordt de door de EU gestelde deadline met een jaar gemist.
[...]
De NIS2-richtlijn is een herziening van de richtlijn inzake netwerk- en informatiebeveiliging uit 2016 [...]"
security.nl/posting/862388/Ned

🔸 "Gebrek aan budget remt NIS2-compliance"
computable.nl/2024/10/23/gebre

Google.com zoekopdrachten (uw resultaten kunnen afwijken afhankelijk van het profiel dat biG van u heeft, en sitemaps, vacatures, advertenties e.d. niet meegeteld):

site:nos.nl "NIS2" ➡️ 0 hits
site:nu.nl "NIS2" ➡️ 1 hit
site:rtl.nl "NIS2" ➡️ 2 hits

site:trouw.nl "NIS2" ➡️ 1 hit
site:volkskrant.nl "NIS2" ➡️ 1 hit
site:ad.nl "NIS2" ➡️ 3 hits
site:telegraaf.nl "NIS2" ➡️ 5 hits
site:fd.nl "NIS2" ➡️ 8 hits
site:nrc.nl "NIS2" ➡️ 9 hits

De meesten zwijgen over de invoering van die wet. Beter, het *niet in/uitvoeren* van die wet.

Overigens:
site:security.nl "NIS2" ➡️ veel hits
site:tweakers.net "NIS2" ➡️ veel hits
site:nl "NIS2" ➡️ zeer veel hits

Ook in Duitsland is dat zo (Engelstalig): heise.de/en/news/Breach-of-con (laatste nieuws: heise.de/en/news/NIS2-implemen).

☔ Tip: u kunt Firefox Focus gewoon naast uw andere webbrowser(s) gebruiken. Hij werkt voor de meeste sites (ook Youtube). Deze browser onthoudt, naar verluidt, *niets*. Geen cookies en andere identificerende info, elke keer een schone lei. Nadeel: elke keer cookie-vragen. Klik, weg. Zet in elk geval wél "HTTPS-Only Mode" (*) aan! (Want, technisch: ook HSTS data wordt gewist). Nb. helaas is die instelling niet beschikbaar in de iOS/iPadOS versie van die browser.

(*) Dit betekent dat u *gevraagd* wordt of u http wilt gebruiken als https niet beschikbaar is. Gebruik nooit http op onvertrouwde netwerken, zoals public WiFi!

Screenshot van de (privacy-vriendelijke) Firefox Focus webbrowser voor Android, met daarin geopend https://www.google.com met als zoekopdracht: site:nos.nl NIS2 (ik heb de "" om NIS2 verwijderd om het plaatje te zien te krijgen, en mijn smartphone is ingesteld op Engels). Er zijn geen resultaten gevonden, te lezen valt: Your search - site:nos.nl NIS2 - did not match any documents. Suggestions: • Make sure that all words are spelled correctly. • Try different keywords. • Try more general keywords. • Try fewer keywords. Op de pagina is daaronder een cyaankleurig katachtig wezentje te zien dat zit te vissen (met een gele hengel met een rode dobber) in een rond gat in een ijsvlakte. Op de echte pagina beweegt het wezentje z'n relatief grote kop af en toe wat heen en weer en tuit diens mond om te fluiten, waarbij er tijdelijk een muzieknoot boven de kop verschijnt. Naast het bergje sneeuw (of uitgehakt ijs, niet goed te zien) waar het wezentje op zit staat een emmertje.
#CyberSecurity#Puinhoop#NIS2
Antwortete im Thread
Öffentlich
Erik van Straten

@fennix : the problem is NOT that people type http:// followed by a domain name in their browser's address bar.

Instead, the problem is that they type:

rmondello.com

or

cisco.com

etc.

in the address bar of their browser.

Only if the website *correctly* (1) supports HSTS *and* you've visited the site sufficiently recently using *this* browser *and* browser has not lost its HSTS database (for frivilous reasons or whatever), https is enforced.

(1) Not, one example if many, Rmondello.com (see internet.nl/site/rmondello.com).

@jwildeboer @rmondello

internet.nlWebsite test: rmondello.comTest for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
#HSTS#httpsvshttp#httpvshttps
Öffentlich
Erik van Straten

In a post that disappeared, @jwildeboer wrote:

"@rmondello I do note that when I open mondello.com in my browser, I get a placeholder page that is http only, no https. This would be a reason that it *seems* that it is unreachable, because many browsers nowadays refuse to open sites without https."

Unfortunately, that is *not* true. Browsers unnecessarily make the internet LESS SAFE. IT'S CRAZY!

*Some* browsers will try https first when you type http:⧸⧸mondello.com (use // instead of ⧸⧸ I used to prevent Mastodon from showing http://). So far, so good.

However, if an AitM (Attacker in the Middle, such as on public WiFi) blocks traffic from your browser to TCP port 443 (https) on the server, the browser will *silently* try port 80 (http). Pwned.

This may happen in practice, for example on airports (bleepingcomputer.com/news/secu).

Except for iOS and iPadOS, most browsers have an "https only" setting that is *OFF* by default, while it's name is misleading.

*On* means that you can still use http, but you'll have to manually agree (you can still access the http devices on your local network, or on the internet. But you will be WARNED).

However, Chrome appears to remember exceptions FOR EVER (I had to delete all browser data to make the last screenshot below. However, that also clears the browser's HSTS database).

On iOS/iPadOS, from Safari, Edge, Firefox and Chrome, only Chrome has this option. So only Chrome provides *some* protection. People do not type "https://" in front of domain names, and most QR-codes I check are insecure.

To test: open http.badssl.com. Instead of immediately seeing a (red) webpage, your browser should protect you by asking whether you want to use an http-connection.

Alternative test-site (non-compliant with the Dutch law):
gemeente.amsterdam
(Gemeente translates to municipality).

(Exactly that is why I wrote this, in Dutch: infosec.exchange/@ErikvanStrat earlier this afternoon).

Note: Firefox on Android seems to forget "http allowed" exceptions when the browser is fully closed (good).

@rmondello

Safari on iOS has opened http://http.badssl.com without warning for not using https.
Firefox on iOS has opened http://http.badssl.com without warning for not using https.
Edge on iOS has opened http://http.badssl.com without warning for not using https.
Chrome on iOS, configured to use "https only", warns when trying to open http://http.badssl.com The page (generated by Chrome) has a gray triangle with a white exclamation mark at the top of the page, followed by the following text: The connection to http.badssl.com is not secure You are seeing this warning because this site does not support HTTPS. Learn more about this warning Two buttons are visible below that: 1. Go Back (default button) 2. Continue to site
#httpsOnly#HSTS#httpsvshttp
Antwortete im Thread
Öffentlich
Erik van Straten

@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!

For those interested: internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)

Best practices: internet.nl checks for lawful requirements of Dutch (Netherlands) governmental websites. After more than a year since that law came into effect, still a lot of govt. websites do not fully comply. In particular, many have still not set up HSTS correctly, such as Almere (internet.nl/site/almere.nl/295 - not detected by developer.mozilla.org/en-US/ob).

Unfortunately HSTS (which too often does not work) still has to help internet users, as browsers still do not *enforce* https connections in a sensible way (infosec.exchange/@ErikvanStrat).

(Coen Wesselman @wsslmn : do you like the idea of adding a check for "/.well-known/change-password", and if so, is that something you could ask to be included in the tests by internet.nl?)

internet.nlTest for modern Internet Standards like IPv6, DNSSEC, HTTPS, DMARC, STARTTLS and DANE.Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt
#changepassword#change_password#security_txt
Antwortete im Thread
Öffentlich
Erik van Straten

@textualdeviance wrote, among other things:

« Sudden revolutions come with obscenely high body counts of innocent civilians. »

That is not necessarily true, in for example the following cases:

🔸 en.wikipedia.org/wiki/Velvet_R

🔸 A revolution that STOPS killing must take place #NOW. The anihilation of Palestinians is simply unacceptable, in particular because western countries condone, support or even encourage it. At some point the governments of the USA, NL and others must stop following orders from their Zionist sponsors, in order to not make them EVEN MORE complicit to genocide.

🔸 Personally I'm "fighting" for a safer internet; fixing tech does not have to involve bloodshed at all (although big tech and leeches like safer.io/ will lose income). Such as:

• By insisting on a system where internet users can distinguish betwee fake and authentic websites (see infosec.exchange/@ErikvanStrat);

• By providing strong arguments why "Chatcontrol" (governments scanning every smartphone looking for Child Sexual Abuse Material - and what not) will not protect a single child - on the contrary (infosec.exchange/@ErikvanStrat; chatcontrol is *not* just a privacy risk);

• By warning for passkeys (infosec.exchange/@ErikvanStrat) and suggesting better alternatives;

• By warning for risks such as when unlocking the screen of an iPhone/iPad with a PIN (infosec.exchange/@ErikvanStrat);

• By warning for security measures that are easily bypassed, such as 2FA/MFA (using SMS, voice, or TOTP "Authenticator" apps including Microsoft's using "number matching");

• Et cetera.

@0xabad1dea

en.wikipedia.orgVelvet Revolution - Wikipedia
#AIPAC#CIDI#Gaza
Öffentlich
Erik van Straten

@lapcatsoftware : clearing all website data also deletes the HSTS register.

AFAIK Safari has no setting "https only" - in the sense that you're "always" (*) warned when https does not work.

(*) Not really always: Firefox on Android (and Windows IIRC) remembers it until you close the browser after you said OK when you open http.badssl.com (a testing site for various https-related issues). OTOH Chrome seems to remember such a choice indefinitly (although I'm not sure -trying to recall it- if I tested that with a connection to a different network).

In particular when using public WiFi or another untrusted network, make sure that every link that you open, begins with https:// (having or typing that *forces* the browser *not* to try http if https fails).

A bit more info: infosec.exchange/@ErikvanStrat

http.badssl.comhttp.badssl.com
#HSTS#http#https
Antwortete im Thread
Öffentlich
Erik van Straten

@pmevzek : all those "terrific" new Google HSTS preload TLD' s [1] do one terific job for sure: facilitate cybercrime by confusing all but expert internet users.

They were created for purely commercial purposes. Say someone has registered "microsoft.com". Now *YOU* have the possibility to register "microsoft.dev"! Unless another criminal is faster than you, or Microsoft, or a registrar who speculates that they can resell it for a higher price. Guess who wins most and who gets to pay in the end. It is sick.

[1] thesslstore.com/blog/google-fo

W.r.t. the supposed advantage of https over http: It is irrelevant if a connection to a criminal website (usually impersonating a real one) uses http or https.

To reduce the risks when deciding to trust a website, an internet user (who understands the necessity) needs to know at least the following things:

(1) Who apparently *owns* a website;

(2) The probability that the owner is who they claim te be.

Big tech deliberately frustrates this process using lies: see infosec.exchange/@ErikvanStrat for more info.

Apart from junk-TLD's, the "good old" TLD's are *not* on the HSTS preload list. For added security each .com (and a zillion other TLD's) websites would have to register to the preload list - which does not scale.

To be honest, HSTS has a slight advantage in most (or all?) browsers: *if* the browser "knows" that a website insists on the use of https, any certificate warning becomes a fatal error (the user cannot tap "connect anyway" or something like that).

*IF* that is a good idea in each and every case, then browsers could enforce this *without* HSTS (with or without preload). Or permit bypasses in specific cases, such as that a certificate has expired - for example limited to 1 week.

Anyway, everyone could do me (not just me b.t.w.) a big favor if they'd stop promoting flawed alternatives to "https only".

And, an even bigger favor, that everyone stops defending the one-size-fits-all way how browsers treat certificates. Their makers do their very best to eliminate the possibilities that internet users have to distinguish between websites with known versus unknown (anonymous) owners.

Note: knowing who owns a website does not warant reliability. However, not knowing who owns a website may mean that the owner *does no want you to know* who they are. Guess why.

@lucasmz @freddy

#HSTSpreload#HSTS#https
Öffentlich *
Erik van Straten

@lucasmz : unfortunately HSTS is often wrongly configured.

And of course it does not help if you've not visited the site recently enough with the particular browser you're using. It also does not work when using private tabs or a browser such as Firefox Focus, or manually delete all browser history for privacy or "security" reasons.

Many municipalities in NL have not configured this correctly, thereby disregarding a law (for government websites) that became mandatory on July 1, 2023 (more than 1 year ago).

For example almere.nl (a city with approx. 200,000 citizens) does not even bother to configure HSTS (internet.nl/site/almere.nl/291 - a nice and free testing site b.t.w.).

A common mistake is made by the municipality of "Alphen aan de Rijn" (100,000+ citizens). *Without* having "https only" enabled in Firefox, if you type in your address bar and tap Enter:

  alphenaandenrijn.nl

the following happens (if your connection is not AitM'ed. Note: I'm using Unicode '⁄' instead of '/' to prevent Mastodon from hiding "http:⁄⁄www." or "https:⁄⁄www."):

Firefox then opens:

  http:⁄⁄alphenaandenrijn.nl

That site tells Firefox to redirect to:

  https:⁄⁄www.alphenaandenrijn.nl

which transmits an HSTS header.

PROBLEM: your browser never "gets to see" an HSTS header for alphenaandenrijn.nl (the domain name *not* preceeded by "www.").

Every time you type alphenaandenrijn.nl *again* in the address bar of your browser, you're at risk of an AitM attack; even though the final site supports HSTS, that is of no use in this case.

Also, even if http:⁄⁄alphenaandenrijn.nl *would* send an HSTS header, that would not help because browsers ignore HSTS-headers from http connections.

This also provides a good explanation and a proposed solution: internet.nl/site/alphenaandenr.

An alternative solution is to always fetch a 1x1 pixel from https:⁄⁄example.com if every time a user visits https:⁄⁄www.example.com (to save browser storage space https:⁄⁄www.example.com does not even have to send a HSTS header, provided that https:⁄⁄example.com *does* and includes the "IncludeSubdomains" directive). See also developer.mozilla.org/en-US/do.

CONCLUSION
HSTS was (is?) an intermediate and mostly unreliable solution - with privacy issues (it allows for tracking of intetnet users).

It's simple: https should become *mandatory*.

MORE REASONS TO STOP USING HTTP
For example, It is insane that the following sites do not support https (marketing idiots go "Great! An .amsterdam TLD, let's register a jumpsite there and earn lots of extra money!):

i.amsterdam
boat.amsterdam
boatnow.amsterdam
queerandpride.amsterdam
hermitage.amsterdam
artandmuseum.amsterdam
topbestin.amsterdam

Even the municipality itself f*cks up:
citycouncil.amsterdam
gemeente.amsterdam

Note: tourists are very welcome! Please use public WiFi, thank you (pwned).

Edited 09:37 UTC: one of the http links was a duplicate (there are many more though) and added # inhabitants of Alphen aan de Rijn.

@freddy

Gemeente AlmereGemeente Almere | AlmereOfficiële site van de gemeente Almere. Informatie over wonen, werken, ondernemen, leren en vrije tijd in Almere.
#HSTS#httpsonly#https
Antwortete im Thread
Öffentlich
Erik van Straten

@kasperd wrote: "What I cannot understand is why domain names typed in manually weren't automatically treated as https a long time ago."

As a matter of fact, they are - but insufficiently reliable.

Most modern browsers actually first *try* https if an http link is provided (*) or if one types, for example, "cisco.com" (without "") in the browser's address bar and presses the Enter key (which I've seen more than one security trainer do).

(*) For example, at the bottom of (notably!) cyber.gov.au/scams , the link under "visit the IDCARE website" reads "http:⁄⁄www.idcare.org⁄". Of note: the latter website does not even support HSTS (see internet.nl/site/www.idcare.or).

Usually https attempts succeed. However, an *active* AitM (Attacker in the Middle), or an attacker who is able to alter DNS responses to the browser, can easily (temporarily) block https and force such browsers to try http - in which case they can emulate any website or redirect the browser to another one (that may support https).

Of another note, after fully reading the Evil Twin articles, the attacks that took place in that case (in airplanes and on airports) were somewhat different, from afp.gov.au/news-centre/media-r :

<<< The AFP alleges that when people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. >>>

So while connecting to WiFi, the victims were apparently IMMEDIATELY lured into entering their email-account credentials into a page on a fake website (probably not using federated auth such as "Log in with Google", because -IIRC- in that case the token will be bound to the domain name of the fake website, rendering it useless for the attacker to impersonate the user on a legitimate website).

That AitM-controlled website *may* have had a valid certificate - but that would mean that the domain name differed from the usual email account sign-in website (to mitigate: use a password manager that checks the domain name).

Of course the attacker could also intercept 2FA codes if they wanted (by using, for example, EvilGinx2 or some similar tool).

BTW I noticed a couple of bugs in Chrome that I'm considering to report to the Chromium team (however, a previous bad experience doesn't make me eager to do so):

1) With the "https only" setting in Chrome for Android enabled, closing the browser *DOES NOT* erase any http-allowed exceptions made for specific domain names (Firefox for Android does it that way - while Firefox for iOS does not seem to support "https only" at all).

Obviously this poses a risk if a remembered http connection is opened on an untrusted network.

I don't know whether the following "reset feature" is documented anywhere, but disabling the "https only" setting, followed by closing and restarting Chrome for Android, and then enabling "https only" again, seems to reliably clear the list of exceptions.

2) The "https only" setting in Chrome for iOS is *unreliable*.

If set to enabled, opening http.badssl.com will warn me (once), while opening citicouncil.amsterdam - or most other http-only websites (including scanning the QR-code on a can of Pringles -potato chips- which decoded into pringles.eu/1W9vz52), NEVER warns me.

3) The "trick" for clearing the list of remembered http domain name exceptions (which works in Chrome on Android) unfortunately does not work in Chrome for iOS. However, clearing all website data does - which probably also deletes all HSTS records, which is a bad thing because of bug 2).

@agl
@rmondello @BleepingComputer

#Chrome#ChromeForAndroid#ChromeForIOS
Öffentlich
Konstantin :C_H:

Apparently Mozilla fixed the unreliability of #HSTS 5 months ago. My bug report was resolved as a result. That's great news!

As far as I know, the HSTS table can now hold up to 2048 entries. Only 0.1% of Firefox users use more than that.

Also, the implementation of nsIDataStorage seems to allow additional temporary data, so even more values could be stored. However, I didn't really understand how this works.

infosec.exchange/@kpwn/1100104

Infosec ExchangeKonstantin :C_H: (@kpwn@infosec.exchange)Firefox stores HSTS headers in a file called SiteSecurityServiceState.txt. #HSTS - Part 4/4: Practical Observation #1 🧑‍💻 Now hold on because it's getting rough: Up to the current version (v110) this file is limited to 1024 entries. #InfoSec #CyberSecurity #BugBounty #Pentesting
#InfoSec#CyberSecurity#Pentesting
Öffentlich
dmstork

Yesterday was Patch Tuesday but not for #MSExchange. The published CVEs were already fixed in last month's #Security Update!

Use this time to dive into 2 new features for on-prem Exchange: #HSTS Support & Extended Protection to mitigate AitM attacks. Latter will be enabled per default in 2023 H2 (or CU14) for Exchange 2019 & might break things!

Sept. '23 CVE: techcommunity.microsoft.com/t5

HSTS: techcommunity.microsoft.com/t5

Ext. Protection per default: techcommunity.microsoft.com/t5

#WeekITtip#SimplifyNow
Öffentlich *
Adrian Offerman

op SIDN.nl: #HTTPS en #HSTS vanaf deze zomer verplicht voor websites alle (semi-)overheidsorganisaties -- #DNSSEC lijkt de volgende wettelijk verplichte standaard te worden
sidn.nl/nieuws-en-blogs/https-

"Reden voor deze wettelijke verplichtstelling is dat eerder beleid en gemaakte afspraken uiteindelijk niet tot de volledige adoptie van deze (en andere) beveiligingsstandaarden hebben geleid. Overheidsorganisaties zijn al jaren min-of-meer verplicht om hun websites met HTTPS en HSTS te beveiligen."

EntdeckenLive-Feeds
Über