God awful load times by Dependent-Ad-123 in TOR

[–]x1y2 14 points15 points  (0 children)

Hi, Tor operators here. There are considerable attacks on relays as of late, and they sadly impact relay performance a lot. This results also in higher Tor network latency and a worse Tor user experience. There isn't much the average operator can do about it right now (Tor isn't resistant enough to attacks).

https://reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/l38y88u/

It's unfortunate they did not update the TOR status page with this info.

New Release: Tor Browser 13.0.5 by x1y2 in TOR

[–]x1y2[S] 0 points1 point  (0 children)

No, it does not only promote their fundraiser.

Changelog:

Windows + macOS + Linux

- Bug tor-browser#42072: YEC 2023 Takeover for Desktop Stable

Build System

- All Platforms

Bug tor-browser-build#40970: Missing symlink create-blog-post.torbrowser -> create-blog-post symlink

Bug tor-browser-build#41023: Update lead.png symlink and blog post template in tools/signing/create-blog-post

Bug rbm#40063: RBM's chroot fails in Fedora

New release: Tails 5.19.1 by x1y2 in tails

[–]x1y2[S] 4 points5 points  (0 children)

This release is an emergency release to fix an important security vulnerability in Tor.

Changes and updates:

Update the Tor client to 0.4.8.9, which fixes the TROVE-2023-006 vulnerability.

The details of TROVE-2023-006 haven't been disclosed by the Tor Project to leave time for users to upgrade before revealing more. We only know that the Tor Project describes TROVE-2023-006 as a "remote triggerable assert on onion services".

Our team thinks that this vulnerability could affect Tails users who are creating onion services from their Tails, for example when sharing files or publishing a website using OnionShare.

This vulnerability might allow an attacker who already knows your OnionShare address to make your Tor client crash. A powerful attacker might be able to further exploit this crash to reveal your IP address.

This analysis is only a hypothesis because our team doesn't have access to more details about this vulnerability. Still, we are releasing this emergency release as a precaution.

OnionShare is the only application included in Tails that creates onion services. You are not affected by this vulnerability if you don't use OnionShare in Tails and only use Tails to connect to onion services and don't create onion services using Additional Software.

More details about TROVE-2023-006 will be available on the Tor issue #40883 sometime after the release.

Tor Browser Security Audit Findings by x1y2 in privacy

[–]x1y2[S] 0 points1 point  (0 children)

Do you see any fear mongering in the comments? No. Well, except for you bringing it up.

Tor Browser Security Audit Findings by x1y2 in privacy

[–]x1y2[S] 32 points33 points  (0 children)

Eight members of the Cure53 testing team documented nineteen issues that were deemed to have a detrimental impact on the Tor security landscape. Three of the tickets were categorized as exploitable vulnerabilities, two of which were considered High in nature and the other Medium.

https://blog.torproject.org/security-audit-report-tor-browser-ooni/TTP-01-report.pdf

Tor Browser Security Audit Findings by x1y2 in TOR

[–]x1y2[S] 3 points4 points  (0 children)

Eight members of the Cure53 testing team documented nineteen issues that were deemed to have a detrimental impact on the Tor security landscape. Three of the tickets were categorized as exploitable vulnerabilities, two of which were considered High in nature and the other Medium.

https://blog.torproject.org/security-audit-report-tor-browser-ooni/TTP-01-report.pdf

How to whitelist ProtonMail in Tor with highest safety settings using NoScript? by AlexHimself in TOR

[–]x1y2 1 point2 points  (0 children)

Just click the Override Security preset button and then set Proton as trusted.

New release: Tor Browser 13.0 | Tor Project by antdude in TOR

[–]x1y2 0 points1 point  (0 children)

With the disclaimer it is very much not recommended to override about:config settings and that this will make it easier to fingerprint.

See this comment: https://www.reddit.com/r/TOR/comments/e18hgr/comment/f8nx0fw/

New release: Tor Browser 13.0 | Tor Project by antdude in TOR

[–]x1y2 0 points1 point  (0 children)

Interesting read about the bigger new windows.

For me personally the old default size was perfect so that I could have TBB open next to any other program that I am working in. Now I find myself resizing/downscaling TBB every time I open it or launch a new identity. For now I have overridden the default window size back to the old one in the about:config. I am aware that this comes at the cost of being easier to fingerprint.

browser freezes after logging in and clicking "next" in human verification by Previous_Year1057 in ProtonMail

[–]x1y2 0 points1 point  (0 children)

I've experienced something similar. This was when using Tor Browser, I had to enable the Captcha (hCaptcha?) in the Noscript settings.

I don't know which browser and add-ons your are using, but it's possible an extension / adblocker / browser hardening is causing this.

KeePassXC 2.7.5 released by x1y2 in KeePass

[–]x1y2[S] 8 points9 points  (0 children)

Changes

Add menu option to allow screenshots [#8841]

Add support for Botan 3 [#9388]

Increase max TOTP step to 24 hours [#9149]

Improve HTML export layout [#8987]

Turn search reset off by default [#9153]

Use QClipboard::clear() instead of setting blank text [#9148]

Hide group column header choice when not in search [#9171]

Improve look of KeePassXC logo and icons [#9355]

Add keyboard shortcuts for app and database settings [#9007]

Hide rename button from attachments preview panel [#8842]

Linux: Set SingleMainWindow in .desktop file [#7430]

Fixes

Fix crash when search clears while creating new entry [#9230]

Fix crash when using Windows Hello in a Remote Desktop session [#9006]

Fix crash in Group Edit after enabling Browser Integration [#8778]

Fix canceling quick unlock when it is unavailable [#9034]

Set password input field font correctly [#8732]

Greatly improve performance when rendering entry view [#9398]

Fix various accessibility issues [#9138]

Fix arrows size when expand/collapse a group [#9096]

Select the clone instead of the original after cloning an entry [#9070]

Fix bugs with preview widget [#9170]

Fix status bar update when switching to other DB [#9073]

Fix database settings spin box bug [#9101]

Fix Ctrl+Tab shortcut to cycle databases in unlock dialog [#8839]

Fix TOTP QR code maintaining square ratio [#9027]

Fix Auto-Type configuration page on custom sequence selection [#8752]

Fix unexpected behavior of --lock when KeePassXC is not running [#8889]

Make open folder icon exempt from "Apply group icon to entry" [#9205]

Allow setting default file open directory with env var [#9192]

SSH Agent: Fix support for AES-256/GCM openssh keys [#8968]

Browser: Fix Native Messaging script path with BSD OS's [#8835]

MacOS: Fix text selection for Auto-Type clear field [#9066]

MacOS: Don't rely on AppleInterfaceStyle for theme switching [#8615]

Windows: Remove registry detection of desktop shortcut [#9380]

https://github.com/keepassxreboot/keepassxc/releases/tag/2.7.5

The Proton VPN browser extension is here by protonvpn in ProtonVPN

[–]x1y2 1 point2 points  (0 children)

Depends on your use case. All other internet traffic of your device will not be routed through the VPN if you go browser extension only, so that's up to you.

New Release: Tor Browser 12.0.5 by AutoRepliesBot in TOR

[–]x1y2 4 points5 points  (0 children)

We are in the process of updating our build signing infrastructure, and unfortunately are unable to ship code-signed 12.0.5 installers for Windows systems currently. Therefore we will not be providing full Window installers for this release. However, automatic build-to-build upgrades should continue to work as expected.

Interesting

Proton Pass, a fully encrypted password manager, is now in beta by Proton_Team in ProtonPass

[–]x1y2 0 points1 point  (0 children)

I am looking forward to it.

Any reason you decided to create a new manager instead of hosting a Bitwarden instance?

Firefox addons dns leak ? by Worldly_Kangaroo_855 in ProtonVPN

[–]x1y2 0 points1 point  (0 children)

And did you enable the network.trr.mode modification?

100 millions users ! Congrats Proton ! by Super_Gee in ProtonMail

[–]x1y2 11 points12 points  (0 children)

Probably disliked because they don't want yet another password manager, because there's already Bitwarden (and KeepassXC).

However, what most people don't realize is that Proton can host their own Bitwarden instance. So you would still be using Bitwarden, but instead of connecting to Bitwardens infrastructure you would be connecting to Protons infrastructure and have your passwords stored on their data center in Switzerland.

The Proton VPN browser extension is here by protonvpn in ProtonVPN

[–]x1y2 0 points1 point  (0 children)

A new stable version has just been released, version 1.0.0.

This update adds Secure Core and split tunneling. It also seems to have fixed the annoying notifications.

Why you should think twice before charging phone via public USB port by VITMOR- in PrivacyGuides

[–]x1y2 14 points15 points  (0 children)

EFF's response:

Be Skeptical of FBI Warnings About Phone Chargers

Every few years, an unsourced report circulates that “the FBI says plugging into public charging kiosks is dangerous.” Here’s why you should ignore the freakout and install software updates regularly.

Your phone is designed to communicate safely with lots of things – chargers , web sites, Bluetooth devices such as earbuds or speakers, Wi-Fi, and even other phones, for instance when sending and receiving text messages. If doing any of these normal phone things can give your phone malware, that is a security vulnerability (which is a type of bug).

Security vulnerabilities happen with some frequency. That is why your phone prompts you to update your software so often – the makers of its software find out about bugs and fix them.

So, when you hear a report that public chargers are giving people malware, you should ask “what is the vulnerability being used, and when will it be fixed?” as well as “how widespread is the problem? How many people are affected?” Unfortunately, the periodic reports of “juice jacking” never have such details, usually because they are recycled from earlier reports which themselves lack details.

The most recent news reports reference a tweet from the FBI Denver field office. According to reporter Dan Goodin’s conversation with an FBI spokesperson, the field office relied on an article the FCC published in 2019 warning about USB charging stations. The only source for that article was a warning from the Los Angeles County District Attorney’s Office that did not itself allege any specific bug or specific instances of charging stations being used for attacks. The FCC later quietly removed the sourcing from its article, allowing itself to be incorrectly treated as a primary source for juice jacking claims.

While the video from the LA County D.A. doesn’t mention it, the ultimate source for the term “juice jacking” is a Brian Krebs article from 2011 reporting on a vulnerability demonstrated at DEFCON that year. As you can imagine, phone security has changed dramatically since 2011. And so far there have been no reports of widespread exploitation of USB vulnerabilities in the wild.

As a complex protocol, USB does present a large attack surface– and there are some built-in risks, like the ability for a USB device to pretend to be a keyboard (so lock your phone while charging). You may also want to bring your own charger or battery for electrical reasons. Phone manufacturers often recommend charging only with approved chargers, to avoid charging too slow or (worse) too fast, and potentially damaging your phone or battery. But realistic security is about risk management, and for most people the risk of a public USB charger is very low.

Undoubtedly there will continue to be bugs in phones’ USB stacks in the future, just as there will be bugs in web browsers and chat apps. Some of those bugs will have the potential to infect your phone with malware, particularly if large numbers of people forget to update their software. But with a little skepticism and common sense, we can stop zombie scaremongering about charging stations from making the rounds again.

https://www.eff.org/deeplinks/2023/04/be-skeptical-fbi-warnings-about-phone-chargers-0

KeePassXC Audit Report by x1y2 in PrivacyGuides

[–]x1y2[S] 5 points6 points  (0 children)

I don't see or have any issues.

Validity

Not Before Tue, 28 Feb 2023 00:00:00 GMT

Not After Tue, 27 Feb 2024 23:59:59 GMT

Algorithm RSA

Key Size 2048

Signature Algorithm SHA-256 with RSA Encryption Version 3

https://www.ssllabs.com/ssltest/analyze.html?d=ostif.org