You need to stop using Chrome NOW. It’s not hyperbole: Google just rolled out a change to Chrome that tracks the sites you visit, builds a profile, and shares that with any page you visit that asks.
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
"... the website loads in a special browser built into the app, rather than your phone’s default browser. In 2022, privacy researcher Felix Krause found that Meta injects special “keylogging” JavaScript onto the website you’re visiting that allows the company to monitor everything you type and tap on, including passwords. Other apps including TikTok do the same thing."
Infosec friends are unanimous: if you're using Chrome, you want to visit chrome://settings/adPrivacy and turn off Ad Topics, Site-Suggested Ads, and Ad Measurement.
IMPORTANT: you must do this for each of your Chrome profiles, since it's not a global setting.
There’s been an increasing call in recent weeks and months for encryption to have government ‘backdoors’ put into them. This is a bad idea. No really, it’s an incredibly bad idea. Even if we took the assumption that it is a push that’s made with only the purest of intentions, and the government universal key is kept...
This December, if there’s one tech New Year’s resolution I’d encourage you to have, it’s switching to the only remaining ethical web browser, Firefox. According to recent posts on social media, Firefox’s market share is slipping. We should not let that happen. There are two main reasons why switching is important.
Firefox is the only major browser not built by a company that makes money from advertising and/or selling your personal data. There’s been a lot of talk about websites tracking users using cookies, fingerprinting and other nefarious technologies that hurt your privacy. But owning the browser puts Google, Apple and Microsoft in a position where they don’t even need those tricks. We need to use browsers that are independent, and right now that means Firefox.
Browser engine monopoly
Wikipedia lists four browser engines as being “active”. Browser engines are the bits that take a web page’s code and display it on your screen. Ideally, they conform to the official W3C standards, and display all elements as it describes. If that’s the case, web developers can easily write sites that work on all browsers. No proprietary vendor lock-in nonsense, just glorious open standards at work.
It’s happened before
In the early 2000’s, Internet Explorer had a massive 95% market share. This meant that many sites were only developed for use with IE. They’d use experimental features that IE supported, in favor of things from the official HTML standard. This was a very bad situation, which hindered the development of the World Wide Web.
Currenty, Chrome, Safari and Edge all use variations of the closely related Webkit and Blink engines. If we want to avoid another browser engine monopoly, we need to support Firefox, and its “Gecko” engine.
Firefox is actually really good
If Firefox would be a bad browser, I would not recommend you to switch. It’s fast, has a nice user interface, and feels every bit as modern and elegant as its competition. I’ve been using it as my main browser for a couple of years now, on Linux, Windows, MacOS and Android. As a web developer, I usually have at least three browsers open, but when I go look something up on the web, I pick Firefox.
#OrganicMaps is here. Use it while offline and feel good about a #privacy-respecting app that doesn't suck you dry of your personal information. Based on #OpenStreetMap this app is gonna blow #Google#Maps out of the water (hopefully ;)
📢 The EU Parliament will not be moving forward with chat control! The indiscriminate mass surveillance measures have been removed and secure end-to-end encryption will not be compromised! 🥳
So #Meta's new #Threads app needs your health and fitness info. It also needs your browsing history and your location, and your purchases, and...well, it seems to need everything. If you want to get fully creeped out, here's the whole #privacy policy: https://privacycenter.instagram.com/policy/.
Stories like this remind us why being mindful of protecting one's privacy online is important and that "private" messages in the majority of places aren't private at all without end-to-end encryption.
Be mindful of what sensitive data you're relinquishing to companies.
I read that #Meta has launched #Threads and many don't understand why it's not fully usable via the web but only through a dedicated mobile app. Meta isn't interested in letting us talk but rather in collecting as much data as possible. Browsers have become (more) skilled at protecting us, while apps can have almost complete access to our mobile devices, gathering data that an average person couldn't even imagine. And our mobile devices have become the safe (or should I say, the exposed pantry?) of our lives. #privacy#datacollection#SocialNetworks
Consent-O-Matic is a browser extension that auto-responds to all the #GDPR and similar consent popups with optimal user preferences.
Unlike the extension "I don't care about cookies" which just accepts all cookies, Consent-O-Matic clicks the prompts on your behalf to reject most of the cookies. You can also choose what to accept/reject in the preferences.
Available for Firefox, Chrome and others.
I've been using this on Firefox :firefox: for quite sometime now and it works great!
🚨 Another EU mass surveillance attempt. Will kill privacy on web. Must not pass. 🚨
“[A]ll web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.”
We are currently witnessing the fallout from monopolization in the browser space. Back in 2007, Internet Explorer received much criticism for its phishing protection mechanism which transmitted all visited websites to Microsoft servers. Mozilla paired up with Google and designed a different system which performed most checks locally and preserved users’ privacy. That’s what healthy competition looks like.
Fast forward to 2023. Almost all web browsers in use are either Chrome or based on the Chromium browser engine. With the competition pretty much eliminated, Google is now pushing its “Enhanced Safe Browsing” down everyone’s throats – which is a nice sounding name for “every website you visit is sent to our servers.” The Internet Explorer approach from 2007 all over again, only that now it’s Google getting all this data. And they certainly won’t do anything evil with it. Yeah, sure.
Reminder: Firefox and Safari are the only remaining browsers worth noting which are not using Google’s browser engine.
Privacy tip: When you sell or trade-in a vehicle, remember to erase all of your data from the in-car electronics. The car dealerships will NOT do this, although they should be required to.
This wasn’t done for the last few vehicles I’ve purchased. I know one previous owners name, where she lives, what her taste in music is, where her dad lives (and how often she visited him), and what restaurants she often went to. In the wrong hands, this is dangerous as hell.
Encryption With A Back Door Is NOT Encryption (ktetch.co.uk)
There’s been an increasing call in recent weeks and months for encryption to have government ‘backdoors’ put into them. This is a bad idea. No really, it’s an incredibly bad idea. Even if we took the assumption that it is a push that’s made with only the purest of intentions, and the government universal key is kept...
iOS AppStore privacy preview for Meta’s upcoming ActivityPub-based app Threads