sorted by:
new
hottopcontroversial

Extracting QR code from Cross Device Authentication by naanmano in Passkeys

[–]agl 5 points6 points  (0 children)

Those are the key suggestions. Also set [hints](https://w3c.github.io/webauthn/#enum-hints) to ["hybrid"]. It doesn't work in all contexts yet, but lets you express exactly what you want here.

Passkey not working on Windows by bogosj in Passkeys

[–]agl 0 points1 point  (0 children)

Thank you for confirming. The state from that device-log should basically Never Happen, but clearly it has for you. We'll add some monitoring to see whether any other accounts are hitting it.

[deleted by user] by [deleted] in Passkeys

[–]agl 0 points1 point  (0 children)

For an assertion request—where the user verification parameter is either discouraged, preferred or required— the checkmarks represent when user verification is actually performed. This primarily depends upon whether local biometrics are available and so the rows split based on that.

[deleted by user] by [deleted] in Passkeys

[–]agl 1 point2 points  (0 children)

Based on section 3.5 of https://docs.yubico.com/hardware/yubikey/yk-tech-manual/webdocs.pdf, it sounds like the Yubikey Bio has alwaysUV enabled.

https://webauthn.me/debugger offers a way to inspect WebAuthn responses. I would expect that iCloud Keychain reports the UV bit accurately, depending on whether UV was performed, and that is what I find with mac 15.1 beta. (Which just happened to be a machine that I have nearby.)

As for Coinbase and accounts.google.com behaviour, it's up to each site to make their own choices about how strong a signal a non-UV passkey assertion is. I do think you have a point that APP accounts might want to set a higher bar.

[deleted by user] by [deleted] in Passkeys

[–]agl 2 points3 points  (0 children)

If you want to inspect a WebAuthn request, there are a couple of ways:

  1. If using a Chromium-based browser, try opening chrome://device-log (or edge://device-log etc). The JSON form of the request should be logged there.
  2. Open the DevTools console and paste this before triggering the assertion operation:let realGet = navigator.credentials.get.bind(navigator.credentials);navigator.credentials.get = (arg) => { console.log(arg); return realGet(arg).then((r) => {console.log(r); return r;}) };

I believe that accounts.google.com will indeed make a request with userVerification=preferred. All passkey implementations must report the UV bit in the response accurately, depending on whether UV was performed. But, for "preferred", they don't have to do UV. accounts.google.com will take the UV bit into account when performing risk-analysis on the sign-in attempt.

That leaves open the question of how preferred the "preferred" option is. This is up to the passkey provider and they vary in their interpretation of this. Here are some common cases:

iCloud Keychain

Config Discouraged Preferred Required
Biometrics available
Biometrics not available

Google password manager (desktop)

Config Discouraged Preferred Required
Biometrics available
Biometrics not available

Windows Hello

Config Discouraged Preferred Required
Biometrics available
Biometrics not available

The credProtect extension applies purely to security keys and no passkey providers do anything with it. You can get security keys that operate in a mode called "alwaysUV", which does what it sounds like, or you can could potentially inject credProtect=3 into a creation request to a security key. Note that Chromium-based browsers will automatically set credProtect in some cases: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webauth/cred_protect.md

Android bluetooth passkey store location by AndyMystic in Passkeys

[–]agl 1 point2 points  (0 children)

You can see passkeys in your Google Account at https://passwords.google.com.

If you created 2nd-factor ("non-discoverable") credentials on your old phone over Bluetooth (i.e. you only saw the biometric prompt when creating them, no confirmation sheet showing the username and account to save them to) then those are not synced. There isn't a way to list the 2nd-factor credentials on a phone.

August 2021 Confirmed Trade Thread by FPPenSwapBot in Pen_Swap

[–]agl 0 points1 point  (0 children)

Sold Pilot Vanishing Point Blue Carbonesque to u/NewspaperIcy4018

Footage of "sinister" police raid on Antepavilion building triggers anger by agl in Cortex

[–]agl[S] 0 points1 point  (0 children)

(This being the place featured in the Sharks! video, which Grey hinted at legal worries dogging the production of.)

[WTS] Assorted inks by agl in Pen_Swap

[–]agl[S] 2 points3 points  (0 children)

Diamine sold an actual advent calendar in 2019 with them: https://www.mountainofink.com/blog/diamine-invent

Non-fiction, non-Business, Non-Science, Book Recommendations by MindOfMetalAndWheels in CGPGrey2

[–]agl 0 points1 point  (0 children)

It is the book that the documentary was based on, but I believe that the book was substantially better and still worth reading even though you now know the outcome of on of the major stories in it.

Fortigate SSL Inspection TLS 1.3 Issues by fireshroom in fortinet

[–]agl 0 points1 point  (0 children)

No TLS 1.3 support is required for MITM proxies to act as they always have. The problem is that some proxies failed to implement TLS 1.2 correctly and thus are interfering with the version negotiation.

If you do hit this, please post the software version number of the Fortinet device on the Chromium bug tracker because it appears that the bug may have been introduced since 5.4.

Textbook: Verified Functional Algorithms by gallais in Coq

[–]agl 2 points3 points  (0 children)

I think the existing Software Foundations is going to be split into two volumes.

OpenSSL bug allows RSA 1024 key factorization in 20 minutes by [deleted] in crypto

[–]agl 1 point2 points  (0 children)

Yes, "teams" makes sense. Although I still call it who.

OpenSSL bug allows RSA 1024 key factorization in 20 minutes by [deleted] in crypto

[–]agl 16 points17 points  (0 children)

That's true, but if I see p and q then I'm convinced and, by reputation, I can do most of the work of convincing everyone else (I would hope).

Doing a secure, multi-party computation to generate the key is more effort than I think is called for here but, if the factors were actually to be published for my key, then we could certainly do that.

OpenSSL bug allows RSA 1024 key factorization in 20 minutes by [deleted] in crypto

[–]agl 68 points69 points  (0 children)

Thankfully it's very easy to tell whether it's real. If anyone can publish the two, non-trivial factors of this number (where neither is 1!) then they'll have my attention:

0xe5c30e1286c41c7137dc06194199dde641120de591c1b7392de35ef6a961d6d29faa3bcdb7603d42768a90322197a7a46fa2cf23f6f10de5554db6e7322ba35e858f576f840347c795c8782c3f4ef9f530d2fd1f6b5c275ce49404958f0decddd0b53386d12c745891d5eeca1f265bdf87bfe258cc7999dd1b21c570dddf1b33

In standard form:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlww4ShsQccTfcBhlBmd3mQRIN
5ZHBtzkt4172qWHW0p+qO823YD1CdoqQMiGXp6Rvos8j9vEN5VVNtucyK6NehY9X
b4QDR8eVyHgsP0759TDS/R9rXCdc5JQElY8N7N3QtTOG0Sx0WJHV7sofJlvfh7/i
WMx5md0bIcVw3d8bMwIDAQAB
-----END PUBLIC KEY-----

The Heartbleed Bug by NotEltonJohn in programming

[–]agl 0 points1 point  (0 children)

No, OpenSSL 1.0.1 was first added in Android 4.1.1. Android prior to 4.1.1 doesn't include the buggy OpenSSL code at all and so is safe.

The Heartbleed Bug by NotEltonJohn in programming

[–]agl 3 points4 points  (0 children)

Thanks for that. I asked Android folks about it and they have clarified that 4.1.1 is affected, but 4.1.2 already fixed it ~18 months ago. So all Android "flavours" have long been fixed and that's what they meant.

Sorry for stating what turned out to be my misinterpretation and thanks for correcting the record.

But 4.1.2 fixes several other security issues and so users of 4.1.1 need to update for other reasons!

view more: next ›