this post was submitted on 05 Dec 2024
185 points (97.9% liked)

Cybersecurity

5847 readers
44 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 58 points 2 weeks ago (5 children)

That's great when my bank only uses sms for mfa though.

Seriously, bank and credit card companies need to get with the program more than me and my friends.

[–] [email protected] 10 points 2 weeks ago (1 children)

Steam. The store front I get my video games from. Has 2-factor authentication with a short time rotating code. To secure my Steam account.

My bank uses SMS and "security questions" aka personal trivia questions.

[–] [email protected] 2 points 2 weeks ago (2 children)

Easy to guess with some social engineering

[–] [email protected] 3 points 2 weeks ago

Or literally anyone who knows you. It's based on the idea that strangers are the ones who will try to screw you over but everyone knows that it's people who you know that end up screwing you over in most cases. So security questions are basically useless in all those cases.

[–] [email protected] 3 points 2 weeks ago

While I agree with you, some people answer these questions with deliberately incorrect answers. If my closest friend tried to compromise my bank account with my security questions, he'd get them all wrong (and even he doesn't know my wrong answers).

Still a bad design, though.

[–] [email protected] 9 points 2 weeks ago (1 children)

Right? Had a bank account once, where the login password could only have up to 8 characters. And only digits.

[–] [email protected] 9 points 2 weeks ago (2 children)

Lucky, mine is 6 (yes, right now in 2024)

[–] [email protected] 5 points 2 weeks ago

I just checked my KeePass and turns out I still have the entry in the recycle bin.
It was 5 digits. Admittedly, that was "back in 2012," but still. For shame, Bank Austria!

[–] [email protected] 3 points 2 weeks ago

Swiss (Cheese) Bank?

[–] [email protected] 2 points 2 weeks ago (1 children)

The only bank that allowed me to use totp was a credit union. You'd think the rich ass banks could afford to hire a developer to set up good MFA.

[–] [email protected] 1 points 2 weeks ago

Yeah, and just for a few months. TOTP really isn't that complicated...

[–] [email protected] 2 points 2 weeks ago

That's a huge part of why I use my brokerage, Fidelity, as my main bank, they support Symantec VIP TOTP. I prefer my regular TOTP solution, but this us miles ahead of literally every other bank I've used.

[–] [email protected] 1 points 2 weeks ago

That's wild

[–] [email protected] 27 points 2 weeks ago

Ok FBI, let me know which ones to use

[–] [email protected] 12 points 2 weeks ago (2 children)

Are there still apps that arnt encrypted?

[–] [email protected] 31 points 2 weeks ago (1 children)

Telegram, for all their security claims, is basically not actually encrypted at all.

[–] [email protected] 6 points 2 weeks ago (11 children)

This is incorrect. Telegram is not end to end encrypted by default. But it is encrypted to and from their servers.

[–] [email protected] 9 points 2 weeks ago

yeah, that means not encrypted. When speaking to a web server, you are one end, and the server is the other. Tls ensures that there isn't a man-in-the-middle.

In case of telegram, you are one end another user is the other end. Telegram themselves are, by design, a man-in-the-middle in this case. I'm not concerned about a different middleman intercepting communications between me and telegram. I'm concerned about any middleman (which includes telegram themselves) intercepting communications between me and my friend.

So no, telegram chats are not encrypted by default. Telegram can read them.

[–] [email protected] 9 points 2 weeks ago (1 children)

TLS isn't sufficient for messaging apps in 2024

[–] [email protected] 9 points 2 weeks ago (1 children)

Except Telegram doesn't use TLS :) They use MTProto.

This is not me endorsing Telegram. I'm just pointing out your mistake. Telegram has other issues but it definitely does have transport encryption.

[–] [email protected] 7 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

The above commenter said that their end-to-end MTProto protocol is not enabled by default.

Defaulting to just using transport encryption like TLS on a messaging app isn't sufficient in 2024.

[–] [email protected] 6 points 2 weeks ago (1 children)

MTProto is not end-to-end. MTProto is their obfuscated client-server transport encryption.

What the commenter above is referring to is Telegram defaulting to saving your messages on the server in plaintext. You can use a "secret chat" which enables end-to-end encryption, but that is separate from MTProto.

Your sentiment is correct though. Messages should not be visible in plaintext to the server.

[–] [email protected] 2 points 2 weeks ago (1 children)

I dont know much about it, but Wikipedia says that MTProto is specifically for "secret chats":

For encrypted chats (branded as Secret Chats), Telegram uses a custom-built symmetric encryption scheme called MTProto.

https://en.m.wikipedia.org/wiki/Telegram_(software)#Architecture

Maybe Wikipedia is misleading here

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

You're right, it is misleading. There are different "flavours" of MTProto. See here:

https://core.telegram.org/mtproto

This page deals with the basic layer of MTProto encryption used for Cloud chats (server-client encryption). See also:

  • Secret chats, end-to-end-encryption

  • End-to-end encrypted Voice Calls

(The major difference is simply whether the server and client share a key or two clients)

[–] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

Luckily I misuse Telegram only as a system notification program.

load more comments (8 replies)
[–] [email protected] 7 points 2 weeks ago (1 children)

There are many where the server owners can see the messages, just not anyone else between the sender and receiver.

Threema and Signal are good options that don’t do this.

[–] [email protected] 3 points 2 weeks ago (1 children)
[–] [email protected] 1 points 2 weeks ago (2 children)

Signal being an American company is also problematic.

These two are the best balance of security/convenience, however.

[–] [email protected] 2 points 2 weeks ago (1 children)

You can create and run your own Signal server if you don't trust Signal.

[–] [email protected] 2 points 2 weeks ago (1 children)

Interesting. Are the server and client open source? Is a self-hosted server interoperable with the main ones?

[–] [email protected] 2 points 2 weeks ago

Signal is completely open source and auditable by anyone: https://github.com/signalapp

if you were to create your own clone, it would not interoperate with the real one.

[–] [email protected] 2 points 2 weeks ago (4 children)

server location and legal jurisdiction shouldn't matter for any truly secure messenger

load more comments (4 replies)
[–] [email protected] 4 points 2 weeks ago

1/20/25: FBI Orders Americans to Use Unencrypted Messaging Apps

[–] [email protected] 2 points 2 weeks ago (4 children)

Why not Matrix ? Its E2E nit just TLS and also it prevents vendor lock in. This way chosing a providor is really about trust and not also about having to chose the same thing what your friends use

[–] [email protected] 1 points 2 weeks ago (1 children)

silly question maybe but after researching China a bit for a few days, I'm genuinely curious: I like supporting the LGBTQ cause, which I could see making me want to avoid Trump probing, but from what I researched, China gov is not against LGBTQ. So is there any specific reason I should fear China looking at my stuff?
Is it basically if I have account info in messages they would hack my accounts?

load more comments
view more: next ›