kurtseifried (he/him)

@kurtseifried
14 Followers
95 Following
663 Posts
CBO/DSP at https://cloudsecurityalliance.org https://webfinger.io https://gsd.id and #osspodcast
[email protected]https://webfinger.io/[email protected]
[email protected]https://webfinger.io/kseifried@cloudsecurityalliance.org
GitHubhttps://webfinger.io/github/kurtseifried
Twitterhttps://webfinger.io/@kurtseifried
kurtseifried (he/him)Feb 5, 2023
FYI I'm moving over to infosec.exchange, let's see how this goes.
Show threadkurtseifried (he/him)Feb 5, 2023

@c0dec0dec0de @pluralistic They'll have to install the certs into the browser and hope the stuff they're MitM's isn't pinning or using other techniques that explicitly are meant to block this. To quote myself:

If your network security depends on you behaving like a malicious nation-state to your users, you're going to have a bad time long term.

Show threadkurtseifried (he/him)Feb 5, 2023
@n0h3r0 @joshbressers Also to be clear I'm not pro "let's ban the groups/countries we don't like", outside of some very limited and clear scenarios (like authoritarian governments not being given the trust of billions of devices and people). With respect to Open Source, freedom #2: The freedom to use. That's a big one, and sort of... a deal breaker. If you limit that freedom, it's not really Open Source anymore. It's Open but with a restrictive license source.
Show threadkurtseifried (he/him)Feb 5, 2023
@cautionwip @pluralistic People who rely on other CA hierarchies will have to install them into the Chrome browser, as opposed to installing them on the platform which then all browsers (well-behaved ones anyways) use. You now have to manage certs through Chrome and not your existing platform tools. And you'll get new certs in updates, some places use allow lists and don't just insert new certs willy-nilly. Also, what is the process for Google to add CAs? It's not public/transparent AFAIK.
Show threadkurtseifried (he/him)Feb 5, 2023
@n0h3r0 @joshbressers I'm not aware of this in licensing, but this did come up (literally this week in the mailing list https://groups.google.com/a/mozilla.org/g/dev-security-policy) in the new proposed Mozilla root CA rules https://wiki.mozilla.org/CA/Root_Inclusion_Considerations
[email protected] - Google Groups

Show threadkurtseifried (he/him)Feb 5, 2023
@cautionwip @pluralistic No, Google's current root store is basically the same as Mozilla/Microsoft/Apple (~140 root certs representing ~90 orgs). Google is in the CCADB.org so chances are the Google Chrome root store will stay generally in line with the platforms it runs on, but of course, there's no guarantee of that. I suspect this is one of those "it reduces support hassle for us because all instances of chrome* have the same cert store" (*except for iOS where Apple doesn't allow it)
Show threadkurtseifried (he/him)Feb 5, 2023
@wallingf Heck, what about reproducible? Also if the script is wrong you fix it once, vs. trying to retrain a human, humans that we can't reliably train to use their turn signals in traffic or wash their hands after going to the bathroom. I for one welcome our scripted computer overlords.
Show threadkurtseifried (he/him)Feb 5, 2023
@pluralistic So I need to write this up properly, but TL;DR: this is also coming to Google Chrome in the form of Root Server Certificates, you/your platform won't get to choose anymore, Google will to ensure a "consistent experience across platforms". It's also not clear if you'll be able to modify it easily moving forwards (I assume it will still be possible, but it might get setup as an Enterprise-only feature based on their current language): https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#can-you-help_i_m-experiencing-problems https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled
Frequently Asked Questions

Show threadkurtseifried (he/him)Feb 5, 2023
@wallingf @pluralistic True, but also you get better at this as time goes on, and in automating it, you are forced to actually understand the task, e.g. breaking it down into simple enough steps for a computer to understand with no ambiguity (e.g. "rename the file correctly" means what exactly?), and now you're less of a single point of failure as a human (assuming the task matters t others). Working source code is the ultimate documentation (it works or it doesn;t).
kurtseifried (he/him)Feb 3, 2023
BrianKrebsFeb 3, 2023

I will likely have a considerable amount of screen time in an upcoming Hulu documentary series on the Ashley Madison breach, a story I broke back in 2015.

https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/

It has been one of the most unusual film making projects I've ever been involved in, mainly because we collaborated on research to find some truly fascinating and AFAICT never before disclosed facts about the breach (like who may have been responsible).

https://krebsonsecurity.com/2022/07/a-retrospective-on-the-2015-ashley-madison-breach/

Can't really go into more detail on the project because I don't want to steal their thunder. But I expect to have at least one and probably a series of stories around the Hulu release that delve deeply into our collective research.

I don't know what they will produce, but the untold part of this story is fairly compelling.

https://www.thewrap.com/ashley-madison-affair-hulu-original-docuseries-cheating-dating-website/

Online Cheating Site AshleyMadison Hacked – Krebs on Security