Re: stunnel
Yeah, or mitmproxy (runs nicely in Docker), or even Fiddler (use Fiddler Classic, the newer one sucks)
Posts by McAron
8 publicly visible posts • joined 8 Dec 2021
Sage accused of strong-arming customers into subscriptions
PowerShell pusher to log off from Microsoft: Write-Host "Bye bye, Jeffrey Snover"
EU makes USB-C common charging port for most electronic devices
Wednesday 8th June 2022 19:42 GMT
Why not both ports?
OK, Apple really loves their Lightning. Fair enough. So how about adding USB-C as second port, rather than replacing Lightning? There's no law or something that forbids you to make phones with two ports. And there's plenty of space on the bottom side too.
Of course they won't do it, it's kinda kludge thus not "an Apple way". But then the discussion shifts from superficially reasonable "we won't do it because usb-c is technically inferior and removing lightning would produce tons of waste" etc., to a simple "we won't do it coz we don't like it". And that kind of argument is much easier to deal with.
Vehicle owner data exposed in GM credential-stuffing attack
Wednesday 25th May 2022 16:39 GMT
Re: Although passwords are poorly managed...
"increasing reliance on biometrics, which necessarily are used on multiple sites and can not be changed or rescinded."
Yes. Wide-spread biometrics will enable ultimate credential stuffing attacks. A shared, unchangeable credential. What could go wrong?
FIDO Alliance says it has finally killed the password
Monday 21st March 2022 17:09 GMT
Re: Microsoft already nailed this
The good news is Microsoft's 2FA is based on a standard (RFC 6238, Time-based One Time Passwords). So you can use any compatible authenticator, or roll your own (the algorithm is trivial, roughly: token = hash(current time, key for pairing the authenticator) ).
I'd even say authenticator should run on a PC (being a more secure device), not on a phone. This way it would be safer to log in on a phone.
Monday 21st March 2022 17:09 GMT
I get the idea of improved security by authentication via secondary channel. But what if we want to access a secured resource on the smartphone itself? How do we authenticate then, with a second smartphone?
In real life most people will of course use the same phone, which for a regular person means an Android v{current - rand(2,6)}, maybe even with some patches if the manufacturer was feeling generous, and inversely proportional number of available exploits. How secure is that?
APNIC: Big Tech's use of carrier-grade NAT is holding back internet innovation
Thursday 20th January 2022 11:10 GMT
Thanks, but no thanks
From my perspective as a privacy-conscious individual, a widespread IPv6 adoption would be a nightmare. Staying at dynamically assigned IPv4s, or even better behind a CGNAT, protects me from being mercilessly tracked across the whole internet.
If my network provider would assign me an IPv6 address, I'm sure it will be a static one, maybe even containing my customer number / contract / router ID etc. It's just much cheaper, and with the IPv6 they just wouldn't need to pool available addresses anymore.
I can then kiss my privacy goodbye - no amount of ad blockers would fix the situation where my traffic always comes from the same, unique source IP. Think of Verizon PrecisionID tracking headers, but on steroids.
Biting the hand that feeds IT
