MITM - Mouse in the Middle
RayJW
joined 2 years ago
https://mkultra.monster/tech/2024/07/03/serenityos-and-ladybird
This was a little „write-up“ back when everything became more public.
I think the most common alternatives I see recommended are Mullvad and IVPN. Both have a great track record, but also both lack port forwarding if that is an essential feature for you.
Are you using GE-Proton? I had this issue when not using the stock Proton. Try switching to Proton 9 and try again.
I'm copying my other response since you both had the same issue with my statements:
As you said, if PFS can be disabled by enabling a feature on the receiving end it's by security practices not enabled, in the industry that's called a downgrade attack and considered very bad practice.
The blog post you linked, is the publicly revised version after they were called out by well known cryptographers for their handling. This was their original response to the researchers, again after the researchers disclosed the vulnerabilities to them and actively helped designing the new protocol, not just giving inspiration. This was their initial tweet: „There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings“ which is long deleted, but I did read it while it was still up back then. I can't find a screenshot or anything at the moment, so if you want to call me a liar, go ahead but if you search for that quote you will find many citations.
Also, they claimed „old protocol“ but Ibex was still months from being deployed widespread, so that's another big downplay.
You mention Signals Desktop app issue, Threema claimed the attacks were unrealistic because they require significant computing power or social engineering, both things that are definitely a risk if you're trying to protect yourself from bigger intelligence efforts. The issue with Signal Desktop however, required full file system access to your device at which point, there is nothing stopping the attacker from simply using a key logger, capturing your screen, etc.
This is why no big security researchers called out Signal but many shunned Threema. At the end I don't have a horse in the race for either of them, but I think those are facts people need when making a decision with their private information.
As you said, if PFS can be disabled by enabling a feature on the receiving end it's by security practices not enabled, in the industry that's called a downgrade attack and considered very bad practice.
The blog post you linked, is the publicly revised version after they were called out by well known cryptographers for their handling. This was their original response to the researchers, again after the researchers disclosed the vulnerabilities to them and actively helped designing the new protocol, not just giving inspiration. This was their initial tweet: „There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings“ which is long deleted, but I did read it while it was still up back then. I can't find a screenshot or anything at the moment, so if you want to call me a liar, go ahead but if you search for that quote you will find many citations.
Also, they claimed „old protocol“ but Ibex was still months from being deployed widespread, so that's another big downplay.
You mention Signals Desktop app issue, Threema claimed the attacks were unrealistic because they require significant computing power or social engineering, both things that are definitely a risk if you're trying to protect yourself from bigger intelligence efforts. The issue with Signal Desktop however, required full file system access to your device at which point, there is nothing stopping the attacker from simply using a key logger, capturing your screen, etc.
This is why no big security researchers called out Signal but many shunned Threema. At the end I don't have a horse in the race for either of them, but I think those are facts people need when making a decision with their private information.
If you're seriously concerned about privacy and security I wouldn't look at Threema. They severely mishandled vulnerabilities by insulting the security researchers, then introduced a new protocol they built with the advice given to them for free from the SAME researchers before that, and yet it still doesn't support critical features like full forward secrecy. If all you want primarily is the best security out there Signal is and will be the best for a long time to come by the looks of it.
I'm not sure that Proton can fix your problem. However, I feel like this project would love your help with capturing the USB traffic to get it supported and hopefully upstreamed in the kernel some day :)
Great, that sounds amazing. Let's hope it's also used even if it means less excises for tracking.
Could the new CHIPS functionality help websites like Microsoft Teams working without you having to enable third-party cookies for their websites? If I understood it correctly this might be exactly the kinda use case but I couldn't find anything specific online.
I looked at some info for reporting this to the kernel developers but the process is too complicated at the time. I'm currently a bit short on time but I did report it to libinput, maybe they can give pointers where exactly to report this.
view more: next ›
Better UX until you have to download or update a game… there is an open bug report where it just doesn't progress but keeps starting new processes until you‘re OOM. Still no fix in months, I've had to boot into Windows for every single update. Really not that good of an UX.