Tor Browser 9.0.9 released, fixes several security vulnerabilities:

blog.torproject.org/new-releas

– Based on FF 68.7.0esr.
– Updates for NoScript (11.0.23) and OpenSSL (1.1.1f).

Tails 4.5 (Tor-focussed operating system) released:

tails.boum.org/news/version_4.

– Supports Secure Boot.
– Updates for Tor Browser (9.0.9).

Tor Browser 9.0.8 released, fixes two critical security vulnerabilities:

blog.torproject.org/new-releas

– Based on FF 68.6.0esr.
– For Firefox updates (74.0.1 and 68.6.1esr), see mozilla.org/en-US/security/adv.

Hello friends in the Fediverse! 🙂 Time for another poll:

If you read "fully encrypted solution," what is your understanding of "fully encrypted"?

For me, "fully encrypted" means …

Hello friends in the Fediverse! 🙂 Time for another poll:

If you read "fully encrypted solution," what is your understanding of "fully encrypted"?

For me, "fully encrypted" means …

Webbkoll:

The developer version of Webbkoll now detects report-to and report-uri directives in the Content-Security-Policy header of websites. Webbkoll shows if CSP reports are sent to a third-party endpoint. Similar HTTP headers will be detected in the future.

Test it yourself: webbkoll-dev.dataskydd.net/

We originally suggested this feature (see github.com/andersju/webbkoll/i for further information).

Jitsi Meet's default landing page:

As an admin, you should remove or modify the default text of your landing page since it incorrectly states that Jitsi calls are fully encrypted.
We already reported this (github.com/jitsi/jitsi-meet/is).

The screenshot shows this incorrect statement in German. In this example, the admin decided to mention the absence of full encryption somewhere in the privacy policy. This could be far more prominent and transparent.

To Jitsi admins:

– Add a privacy policy (or a link to it) to your landing page.
– Be aware of Google STUN servers in your configuration (see also github.com/jitsi/jitsi-meet/pu).
– Change the default text of the landing page since it may incorrectly state that Jitsi is fully encrypted.
– Try to deploy HTTP security headers, like a strict Content Security Policy.
– Keep your server software up-to-date (see also infosec-handbook.eu/as-wss/).
– Be nice to each other.

Follow-up post regarding Jitsi instances:

forum.privacytools.io/t/zoom-v

We briefly checked the landing pages of 72 public Jitsi instances:

– 92% didn't contain a link to a privacy policy.
– 10% contained tracking code, like Google Analytics.
– Only 11% didn't embed tracking code AND linked to a privacy policy that likely meets requirements of the GDPR.

Show thread

Zoom vs. Jitsi:

forum.privacytools.io/t/zoom-v

– Neither Zoom nor Jitsi are always end-to-end encrypted.
– Zoom and Jitsi apps and the web clients contain trackers/tons of JavaScript.
– Zoom's privacy policy has some issues, but the vast majority of Jisti instances has no privacy policy at all.

Always talk about pros and cons. Don't skip the drawbacks of so-called "alternatives."

Firefox 74.0.1 and Firefox ESR 68.6.1 available:

mozilla.org/en-US/security/adv

⚠️ These updates fix two security vulnerabilities that are already exploited in targeted attacks. ⚠️

Marriott International Inc – new data breach affecting 5.2 million guests:

reuters.com/article/us-marriot

– Information of about 5.2 million hotel guests was breached.
– Including contact details, loyalty account information, gender, DOB, and more.
– Account passwords, payment card information and passport information were not a part of the breach.

Monthly review, March 2020:

infosec-handbook.eu/blog/2020-

– news: coronavirus-related news, Let’s Encrypt’s certificate revocation, new attacks on hardware, issues with Tor Browser, and more
– tool: USBGuard
– recent activity on infosec-handbook.eu/

New OpenWRT vulnerability? No.

The security vulnerability CVE-2020-7982 is publicly known since early February 2020. Somehow, some bloggers re-discovered the vulnerability this week and started to warn users.

However, the vulnerability was fixed more than 1 months ago, see chaos.social/@infosechandbook/.

Turris Omnia users: This was fixed in Turris OS 3.11.14, released on Feb 5, 2020.

Tails 4.4.1 (Tor-focussed operating system) released:

tails.boum.org/news/version_4.

– Updates for Tor Browser (9.0.7, including workaround for FF ESR vulnerability ⚠️), Tor, and Thunderbird (68.6.0).
– ⚠️ This is an emergency release that fixes several security vulnerabilities in Tor and Tor Browser. ⚠️

Tor Browser 9.0.7 released, fixes a security vulnerability:

blog.torproject.org/new-releas

⚠️ This is a workaround for a Firefox ESR vulnerability in Tor Browser 9.0.6, which allows JavaScript execution in some situations. ⚠️

– JS is disabled on "Safest" level.
– Updates for Tor (0.4.2.7), and NoScript (11.0.19).

MS Windows – new 0-day RCE vulnerabilty in the Adobe Type Manager Library:

portal.msrc.microsoft.com/en-U

– Affected are all supported Windows versions (7–10, Server 2008–2019).
– There are several workarounds available. Security updates will be released soon.
– The vulnerability is possibly exploited in targeted attacks.

Show more
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community