I don't need something to protect the privacy of others from me, I need something to protect my privacy from others. The majority of people who use smart glasses are not going to be using this - where is the product that will protect me from them?
> Make an RSA key of 4096 bits. Call it your personal key.
This is bad advice - making a 4096 bit key slows down visitors of your website and only gives you 2048 bits of security (if someone can break a 2048 bit RSA key they'll break the LetsEncrypt intermediate cert and can MITM your site). You should use a 2048 bit leaf certificate here
Amateur question: does a 4096 not give you more security against passive capture and future decrypting? Or is the intermediate also a factor in such an async attack?
I thought FS only protected other sessions from leak of your current session key. How does it protect against passive recording of the session and later attacking of the recorded session in the future?
If using a non-FS key exchange (like RSA) then the value that the session key is derived from (the pre-master secret) is sent over the wire encrypted using the server's public key. If that session is recorded and in the future the server's private key is obtained, it can be used to decrypt the pre-master secret, derive the session key, and decrypt the entire session.
If on the other hand you use a FS key exchange (like ECDHE), and the session is recorded, and the server's private key is obtained, the session key cannot be recovered (that's a property of ECDHE or any forward-secure key exchange), and none of the traffic is decryptable.
The certificate is for authentication of the server. It has nothing to do with the encryption of the data.
Basically forward secrecy is where both the sender and receiver throw away the key after the data is decrypted. That way the key is not available for an attacker to get access to later. If the attacker can find some way other than access to the key to decrypt the data then forward secrecy has no benefit.
Unless details were intentionally changed that narrows it down to two companies that are not US based, despite being traded on Nasdaq. The other two are a ETF and SPAC
Worth noting, because many people seem to assume these folks are based in SV
> If that's the case, then there's not much to see here
They could have demonstrated the POC without sending data about the installing host, including all your environment variables, upstream. That seems like crossing the line
One of the automakers in the article claims that voids your warranty. It may or may not but enjoy the legal battle should you ever need to make a claim.
Chrome/Firefox/curl do allow exporting this by setting the `SSLKEYLOGFILE` environment variable, but as another poster points out this would let anyone with access to your hard drive decrypt your historical traffic
I continue to request my reports via certified mail to the annualcreditreport address, and this time for the first year Equifax just ... didn't reply. Completely ignored my request.
Submit a complaint via the CFPB. They most certainly will then respond.
I had a frustrating experience trying to obtain my consumer report from Early Warning Services, a less-known alternative to Chex Systems. Their process for requesting a report was unnecessarily complex and seemed designed to discourage users.
Initially, I had to navigate to a hidden webpage, which then directed me to a PDF form. This step alone was convoluted. After filling out the form, I discovered a line within the PDF that provided a link to a consumer portal, which looked like it hadn't been updated since the early 2000s.
The next step required me to create an account on this outdated portal, upload the completed PDF, and wait for a response.
However, my troubles didn't end there. For reasons unknown to me, my account was suddenly deleted. When I reached out to their IT support for help, they were clueless about the reason behind this issue.
Fed up with the lack of support and transparency, I decided to file a complaint with the Consumer Financial Protection Bureau (CFPB). To my surprise, this action prompted a swift response from Early Warning Services. Within just two days of filing the complaint, they sent me my consumer report.
Do you have your credit frozen with just Equifax, or something? Just trying to think of vanilla (i.e. incompetence rather than malice) reasons to explain this. Of course, it goes without saying that they all suck...
It's a common bypass of server side request forgery filtering. Backends will try to validate that a user-submitted url doesn't resolve to an internal IPv4 address, but they'll happily allow an IPv6 mapped version for the same IPv4 address.
