DiGA: Hacker offenbaren Sicherheitslücken in Depressions-App
Das Kollektiv Zerforschung konnte über eine Sicherheitslücke in der österreichischen Depressions-App Edupression auf sensible Gesundheitsdaten zugreifen.
Just saw someone implementing user authentication for an #E2EE application by taking the users password, running it through libsodium's crypto_pwhash with a fixed salt derived from the user's email address, before sending the (email, hash) pair to the remote server.. and I'm just like "is this secure?"
I'd always thought you'd want a construct like SRP6a for conducting the authentication between client & server (without the server learning the user's password)... #security#cryptography
Maybe I am missing the location or it simply doesn't exist, but is there a way to make my account private? I'd like to not have all my post exposed when simply browsing to my profile when not signed into an account or following.
"Export controls and usage controls [on cryptographic software] are slowing the deployment of security at the same time as the Internet is exponentially increasing in size and attackers are increasing in sophistication. This puts users in a dangerous position as they are forced to rely on insecure electronic communication."
Many apps on your phone come with invasive trackers that are difficult to deal with! Our newest #privacy & #security guide teaches how to find trackers and what can be done about them - thanks to tools like @exodus 🫡
Google's added passkeys as a way to get into your Google Accounts. But... what's a passkey? Here's my explainer covering how they work and how they differ from passwords: