This came up again in a team meeting earlier this week.

@freddy Same here. I remember the epic MySpace thread, was very educational on how not to sanitize web content.

@freddy You better use Web Archive, not the service that will DDoS random blogs it has a dispute with: https://web.archive.org/web/20150102232217/http://ha.ckers.org/blog/20070803/mozilla-says-ten-fucking-days/

I remember. That was exactly the time when I used to hang out on ha.ckers and sla.ckers.

Note how LastPass PR offloaded a ton of buzzwords here that don’t actually mean anything. They turned this kind of responses into an art. https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/

Bitwarden at least admits that a fully compromised server isn’t part of their threat model. It’s the same for LastPass, and in the past they’ve rejected vulnerability submissions based on that – there are a number of very simple ways in which a compromised server is able to access your “secure” vault. But they won’t admit it, hoping instead that the message will drown in the noise they produce.

For the sake of completeness: Dashlane’s response is merely generic. 1Password’s response is correct from what I can tell: the “compromised server” scenario has been considered and the risks arising from it are documented, nothing new here.

#LastPass #infosec

@daniel I haven’t seen any comments about the Matrix community, only about the project’s vulnerability response. Even if it’s one user, it’s the user handling security reports. If they reject legitimate vulnerabilities as “not relevant in practice” – that is very concerning. If Matrix is supposed to be considered secure, they need working processes for handling vulnerability reports. If on the other hand they have a hobbyist approach to security then their product cannot be considered secure.

Note: It maybe in fact be “not relevant in practice” yet. Still, an important building block of the protocol is compromised. It needs to be fixed, preferably before somebody figures out how to make this issue relevant in practice. Because somebody inevitably will.

@lasagne Es ist eine recht typische Situation, dass ein Baustein kompromittiert ist, andere Bausteine aber eine erfolgreiche Ausnutzung zunächst verhindern. Wenn bei einem solchen Problem die Antwort "in der Praxis nicht relevant" kommt, sollte man das Produkt dringend meiden. Denn das ist, wie du schon sagst, eine sehr problematische Einstellung.

Soatok scheint ja bereits Umstände identifiziert zu haben, wo das Problem trotzdem ausnutzbar ist. Und selbst wenn nicht, ist es oft nur eine Frage der Zeit. Ich hatte diese Situation schon mehrmals: eine von mir gemeldete Sicherheitslücke wird nicht geschlossen, weil ich nicht demonstrieren kann, dass sie ausnutzbar ist. Wenig später findet jemand anders dann doch einen Weg.

Wenn man Sicherheit ernst nimmt, verlässt man sich nicht darauf, dass Sicherheitslücken auf einer Ebene von anderen Ebenen kaschiert werden. Vielleicht ist es dann nicht ganz so dringend, aber man schließt die Lücke trotzdem.

RE: https://furry.engineer/@soatok/116088639302283341

This is old news for some but way too many people didn’t get the notice: do not trust Matrix crypto. It’s not that they have issues (who doesn’t), it’s their approach which is the opposite of taking security seriously.

#Matrix #MatrixMessenger #infosec

@boblord Just so that other people don’t need to guess: CNA = CVE Numbering Authority.