[-] Harrison@infosec.pub 9 points 5 months ago* (last edited 5 months ago)

Remember not to compromise security in favor of privacy. To me they're both important, but security wins every time.

Remember that services directly accessible over tunnels, whether from cloudflare or frp or ngrok or whatever, are directly accessible over the internet. So if any of those various self-hosted services have a remote vulnerability, and EVERYTHING does sooner or later, you will be exposed. This is why I personally WG VPN to my home LAN rather than exposing most of my stuff via any sort of tunnel. Tailscale is another option I often recommend.

I do use CF tunnels for specific purposes; Home Assistant Google Home integration for example, but I secure that via their "zero trust" authentication by validating incoming IP ranges, so only Google can reach the tunnel in the first place, everybody else is stopped by Cloudflare. For other services with human users, I have them authenticate via github or google oauth first. I also run all services accessible by the internet by any means on a restricted VLAN firewalled off from the rest of my LAN.

[-] Harrison@infosec.pub 6 points 5 months ago

I'm all for healthy paranoia, keeping my attack surface small. That's just professional IT ops.

Incendiary statements like saying US intelligence compromised the supply chain with hidden backdoors, those really do need to be substantiated to not sound like a crazy uncle. Our adversaries have counterintelligence also, they aren't incompetent, and if Cisco or Juniper or whatever planted backdoors in hardware shipped to China, the Chinese would make a ton of noise about it. And so would we; Huawei was banned without any substantiated proof, out of fears that if used, their 5G infra could have hidden backdoors and the hardware would be so widely distributed that it would be onerous to replace.

[-] Harrison@infosec.pub 11 points 5 months ago

Yes there are a bunch of self-hosted options like frp, all of which require an endpoint on the internet somewhere, typically a cheap or even free VM. Here's a pretty comprehensive list:

https://github.com/anderspitman/awesome-tunneling

[-] Harrison@infosec.pub 79 points 5 months ago

Cloudflare is a MITM by design. Calling it an attack is disingenuous; you're signing up for the service of your own free will, not a victim.

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren't doing that.

So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don't use it.

[-] Harrison@infosec.pub 8 points 9 months ago

Recently they want to throw them out of helicopters like Pinochet. Really, look it up.

[-] Harrison@infosec.pub 8 points 10 months ago

Here’s another one— click through on macOS. Coming from other systems I find it infuriating. Not just the click though itself but its inconsistency, where it works in browsers and some other selected programs but not in most.

For those not aware, click through is when you’re focused on another window and click on this one. With click through, it will immediately action what you click without you have to click first to the window then click again. This isn’t inherently inferior, but I really don’t like it personally. And it is absolutely impossible to change this behavior on MacOS by any means. Believe me, I researched this extensively.

[-] Harrison@infosec.pub 4 points 10 months ago

Sorry, right, I was referring to iOS. On macOS I use Alfred for clipboard history. Works great.

[-] Harrison@infosec.pub 22 points 10 months ago

Complete lack of support for clipboard history. This annoys me daily.

[-] Harrison@infosec.pub 5 points 1 year ago

It's less that Twilio specifically owns it than problems resulting from corporate ownership. Briefly:

  1. You can't get your data out of Authy. Actually you can, but it's a long annoying process involving installing an out of date chrome extension and using developer tools.
  2. Privacy issues. Authy links a lot of data including location to your identity.
  3. Authy supports SMS account recovery (which is inherently insecure) and doesn't allow users to disable it.
[-] Harrison@infosec.pub 8 points 1 year ago

Android is easy, Aegis.

IOS is much harder. Right now, probably "2FAs". Authy is owned by Twilio, Raivo was just bought out by an advertising company, and the others are either too small to get the exposure required for any level of security or charge for the feature.

[-] Harrison@infosec.pub 4 points 1 year ago

From what I can see on their website, the 2FA feature is only available if you pay $1/month. No gratzie.

[-] Harrison@infosec.pub 4 points 1 year ago

I’m all for open source alternatives to bitwarden but this is non competitive with a mandatory subscription fee. Bitwarden is completely free for most users.

view more: next ›

Harrison

joined 1 year ago