Anmelden

Frühere Suchanfragen

Keine früheren Suchanfragen

Suchoptionen

Nur verfügbar, wenn angemeldet.
social.heise.de ist einer von vielen unabhängigen Mastodon-Servern, mit dem du dich im Fediverse beteiligen kannst.
Der Mastodon-Server von und für Heise Medien und insb. die Nachrichten von heise online.

Verwaltet von:

Serverstatistik:

38
aktive Profile

social.heise.de: ÜberProfilverzeichnisDatenschutzerklärung

Mastodon: ÜberApp herunterladenTastenkombinationenQuellcode anzeigenv4.3.7

#standards

1 Beitrag1 Beteiligte*r0 Beiträge heute
Öffentlich
Terence Eden

🆕 blog! “How to prevent Payment Pointer fraud”

There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.

The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:

<link rel="monetization"…

👀 Read more: shkspr.mobi/blog/2025/03/how-t

#CyberSecurity #dns #HTML #standards #WebMonitization

Terence Eden’s Blog · How to prevent Payment Pointer fraud
Mehr von Terence Eden
Öffentlich *
Simon Phipps

Looking at the class action lawsuit by academic peer reviewers claiming publishers constitute an illegal cartel that is misappropriating funding to their research, I am wondering whether #standards professionals could mount a similar action against ISO et al for diverting payment for their work exclusively to standards publishing.

reuters.com/legal/litigation/a

fingfx.thomsonreuters.com/gfx/

#ModestProposal
Antwortete im Thread
Öffentlich
Thor A. Hopland

Eyo, that #Euro #Latin connect needs to get up and going.

The #EU should definetely be reaching out to #LatinAmerica, and Latin America should definetely be reaching out to the EU - as well as the #baltics, the #nordics, etc.

Trade must be done, but quality must be kept. Increasing the living and production #standards so that #Europe is happy (by synchronizing those friggin #regulations) means that we can open up the #trade valves.

Let the yankies eat pink slime.
No offence, @georgetakei .

Öffentlich
Jens Oliver Meiert

“Buy standards-compliant websites”:

Just loved running into @dontcallmeDOM’s 2002 and @karlcow’s 2006 articles of that name, w3.org/QA/2002/07/WebAgency-Re and w3.org/blog/2006/buy-standards.

They represent a spirit that has been missing for years—staying close to the standards by not only using new features but ensuring one used them right.

(I collect these and more articles on @frontenddogma, as in the conformance archives: frontenddogma.com/topics/confo!)

www.w3.orgBuy standards compliant Web sites — W3C QAW3C QA - Why and how you should require that Web agencies deliver standard compliant Web sites
#webdev#standards#conformance
Öffentlich
Simon Phipps

The ISO/IEC lawsuit against the @EUCommission to undo the finding that we have a right to know all of the law that binds us is a threat to digital human rights. #Standards should serve humanity, not enrich private corporations.

circleid.com/posts/a-threat-to

/cc @carlmalamud

circleid.comA Threat to Europe’s Digital Human Rights StewardshipIn a contemporary era when the human rights, democracy, and the rule of law are under attack, Europe has asserted itself as the leading global digital steward for maintaining those values. However, doing so through its Digital Sovereignty initiatives is significantly dependent on the ability to produce timely technical standards that underpin the implementing legislation.
Öffentlich
Terence Eden

🆕 blog! “The least secure TOTP code possible”

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished…

👀 Read more: shkspr.mobi/blog/2025/02/the-l

#CyberSecurity #rant #security #standards #totp

Terence Eden’s Blog · The least secure TOTP code possible
Mehr von Terence Eden
Öffentlich
Terence Eden’s Blog

The least secure TOTP code possible

shkspr.mobi/blog/2025/02/the-l

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

What makes it so crap? There are three things which protect you when using TOTP.

  1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
  2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
  3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

  1. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

  2. Please don't! ↩︎

  3. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎

Terence Eden’s Blog · The least secure TOTP code possible
Mehr von Terence Eden
#CyberSecurity#rant#security
Öffentlich *
Simon Phipps

The patent-telecoms-complex has been granted its wish and the move by the EU to regulate #patents embedded in #standards (#SEPs) has been killed. SEP holders prefer expensive, obscure, anti-competitive litigation and were afraid the transparency would harm them so lobbied Council into submission.

juve-patent.com/legal-commenta

This doesn't mean action is not required however. SEPs embedded in the standards we have to obey to comply with the law have got to go. opensource.org/blog/standards-

JUVE Patent · Mixed reaction from market as EU withdraws SEP regulationVon Mathieu Klos
Öffentlich
marado

#Europe has been for too long mandating the use of closed #standards, and in 2018 there was an attempt to get them #open by demanding free access to them using #FOIA.

The @EUCommission said "no", those asking for them sued, then appealed, and in the now called " @carlmalamud judgement" the comission was told to grant access.

Who didn't like this? Standards bodies - entities that should be working for a goal and the common good, but instead see their work as a business. In December, #ISO and #IEC sued. Let's see how this evolves...

A better and less summarized description here:
globalnorm.de/en/news-product-

www.globalnorm.deNew development on the "Malamud" case and free provision of standardsWhat's new in the world of Product & Material Compliance and Standards? Find out now!
EntdeckenLive-Feeds
Über