this post was submitted on 05 Dec 2024
185 points (97.9% liked)

Cybersecurity

5859 readers
235 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] atzanteol@sh.itjust.works 58 points 3 weeks ago (5 children)

That's great when my bank only uses sms for mfa though.

Seriously, bank and credit card companies need to get with the program more than me and my friends.

[–] captain_aggravated@sh.itjust.works 10 points 3 weeks ago (1 children)

Steam. The store front I get my video games from. Has 2-factor authentication with a short time rotating code. To secure my Steam account.

My bank uses SMS and "security questions" aka personal trivia questions.

[–] Eezyville@sh.itjust.works 2 points 3 weeks ago (2 children)

Easy to guess with some social engineering

[–] Draconic_NEO@sh.itjust.works 3 points 3 weeks ago

Or literally anyone who knows you. It's based on the idea that strangers are the ones who will try to screw you over but everyone knows that it's people who you know that end up screwing you over in most cases. So security questions are basically useless in all those cases.

[–] toynbee@lemmy.world 3 points 3 weeks ago

While I agree with you, some people answer these questions with deliberately incorrect answers. If my closest friend tried to compromise my bank account with my security questions, he'd get them all wrong (and even he doesn't know my wrong answers).

Still a bad design, though.

[–] Chais@sh.itjust.works 9 points 3 weeks ago (1 children)

Right? Had a bank account once, where the login password could only have up to 8 characters. And only digits.

[–] MTK@lemmy.world 9 points 3 weeks ago (2 children)

Lucky, mine is 6 (yes, right now in 2024)

[–] Chais@sh.itjust.works 5 points 3 weeks ago

I just checked my KeePass and turns out I still have the entry in the recycle bin.
It was 5 digits. Admittedly, that was "back in 2012," but still. For shame, Bank Austria!

[–] xapr@lemmy.sdf.org 3 points 3 weeks ago

Swiss (Cheese) Bank?

[–] Eezyville@sh.itjust.works 2 points 3 weeks ago (1 children)

The only bank that allowed me to use totp was a credit union. You'd think the rich ass banks could afford to hire a developer to set up good MFA.

Yeah, and just for a few months. TOTP really isn't that complicated...

That's a huge part of why I use my brokerage, Fidelity, as my main bank, they support Symantec VIP TOTP. I prefer my regular TOTP solution, but this us miles ahead of literally every other bank I've used.

[–] Evotech@lemmy.world 1 points 3 weeks ago

That's wild

[–] Thcdenton@lemmy.world 27 points 3 weeks ago

Ok FBI, let me know which ones to use

[–] skeezix@lemmy.world 12 points 3 weeks ago (2 children)

Are there still apps that arnt encrypted?

[–] Supernova1051@sh.itjust.works 31 points 3 weeks ago (1 children)

Telegram, for all their security claims, is basically not actually encrypted at all.

[–] randomperson@lemmy.today 6 points 3 weeks ago (11 children)

This is incorrect. Telegram is not end to end encrypted by default. But it is encrypted to and from their servers.

[–] vrighter@discuss.tchncs.de 9 points 3 weeks ago

yeah, that means not encrypted. When speaking to a web server, you are one end, and the server is the other. Tls ensures that there isn't a man-in-the-middle.

In case of telegram, you are one end another user is the other end. Telegram themselves are, by design, a man-in-the-middle in this case. I'm not concerned about a different middleman intercepting communications between me and telegram. I'm concerned about any middleman (which includes telegram themselves) intercepting communications between me and my friend.

So no, telegram chats are not encrypted by default. Telegram can read them.

[–] jlh@lemmy.jlh.name 9 points 3 weeks ago (1 children)

TLS isn't sufficient for messaging apps in 2024

[–] Opisek@lemmy.world 9 points 3 weeks ago (1 children)

Except Telegram doesn't use TLS :) They use MTProto.

This is not me endorsing Telegram. I'm just pointing out your mistake. Telegram has other issues but it definitely does have transport encryption.

[–] jlh@lemmy.jlh.name 7 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

The above commenter said that their end-to-end MTProto protocol is not enabled by default.

Defaulting to just using transport encryption like TLS on a messaging app isn't sufficient in 2024.

[–] Opisek@lemmy.world 6 points 3 weeks ago (1 children)

MTProto is not end-to-end. MTProto is their obfuscated client-server transport encryption.

What the commenter above is referring to is Telegram defaulting to saving your messages on the server in plaintext. You can use a "secret chat" which enables end-to-end encryption, but that is separate from MTProto.

Your sentiment is correct though. Messages should not be visible in plaintext to the server.

[–] jlh@lemmy.jlh.name 2 points 3 weeks ago (1 children)

I dont know much about it, but Wikipedia says that MTProto is specifically for "secret chats":

For encrypted chats (branded as Secret Chats), Telegram uses a custom-built symmetric encryption scheme called MTProto.

https://en.m.wikipedia.org/wiki/Telegram_(software)#Architecture

Maybe Wikipedia is misleading here

[–] Opisek@lemmy.world 2 points 3 weeks ago* (last edited 3 weeks ago)

You're right, it is misleading. There are different "flavours" of MTProto. See here:

https://core.telegram.org/mtproto

This page deals with the basic layer of MTProto encryption used for Cloud chats (server-client encryption). See also:

  • Secret chats, end-to-end-encryption

  • End-to-end encrypted Voice Calls

(The major difference is simply whether the server and client share a key or two clients)

[–] Appoxo@lemmy.dbzer0.com 2 points 3 weeks ago* (last edited 2 weeks ago)

Luckily I misuse Telegram only as a system notification program.

load more comments (8 replies)
[–] Zachariah@lemmy.world 7 points 3 weeks ago (1 children)

There are many where the server owners can see the messages, just not anyone else between the sender and receiver.

Threema and Signal are good options that don’t do this.

[–] breadcat@sh.itjust.works 3 points 3 weeks ago (1 children)
[–] Zachariah@lemmy.world 1 points 3 weeks ago (2 children)

Signal being an American company is also problematic.

These two are the best balance of security/convenience, however.

[–] breadcat@sh.itjust.works 2 points 3 weeks ago (1 children)

server location and legal jurisdiction shouldn't matter for any truly secure messenger

[–] Zachariah@lemmy.world 0 points 3 weeks ago (1 children)
[–] breadcat@sh.itjust.works 4 points 3 weeks ago (1 children)

if a messenger is truly 0 trust end to end encryption, it doesn't matter who owns the servers or the legal protections of data because they won't have any data anyway. that's why signal is so good, when they get subpoenaed the only information that they actually have is the last connection and message sent unix times or something. still secure regardless of being in the US and being run on centralized Amazon, google, and cloudflare servers.

[–] Zachariah@lemmy.world 2 points 3 weeks ago (1 children)

Then the jurisdiction of software development matters. Don’t want a back door being forced into an update by the FBI.

[–] Supernova1051@sh.itjust.works 1 points 3 weeks ago

The FBI can't just force them to add malicious code. A bad actor could try to contribute bad code, but Signal's devs would likely catch it.

[–] Anticorp@lemmy.world 2 points 3 weeks ago (1 children)

You can create and run your own Signal server if you don't trust Signal.

[–] Zachariah@lemmy.world 2 points 3 weeks ago (1 children)

Interesting. Are the server and client open source? Is a self-hosted server interoperable with the main ones?

[–] Supernova1051@sh.itjust.works 2 points 3 weeks ago

Signal is completely open source and auditable by anyone: https://github.com/signalapp

if you were to create your own clone, it would not interoperate with the real one.

[–] samus12345@lemmy.world 4 points 3 weeks ago

1/20/25: FBI Orders Americans to Use Unencrypted Messaging Apps

[–] imblue@feddit.org 2 points 3 weeks ago (4 children)

Why not Matrix ? Its E2E nit just TLS and also it prevents vendor lock in. This way chosing a providor is really about trust and not also about having to chose the same thing what your friends use

load more comments
view more: next ›