Matches for ninjashogun, 1788 total results Sorted by newest | relevance
Tue Mar 18 01:22:27 UTC 2014 <dignork> ninjashogun, your javascript is downloaded by firefox, from forgeable location ... p0wned
Tue Mar 18 01:22:04 UTC 2014 <ninjashogun> the wifi connects either a) to your device or b) to a MITM that connects to your device
Tue Mar 18 01:21:51 UTC 2014 <ninjashogun> it makes sense to me. You can always assume any computer will have javascript, and a wifi.
Tue Mar 18 01:21:34 UTC 2014 <ninjashogun> sure
Tue Mar 18 01:21:31 UTC 2014 <ninjashogun> asciilifeform, I get your point.
Tue Mar 18 01:21:10 UTC 2014 <ninjashogun> dignork, it doesn't matter who firefox trusts. You can run a complete tunnel using javascript all the way to the final end-point. The whole point of PKI is that it doesn't matter who sniffs packets.
Tue Mar 18 01:20:22 UTC 2014 <ninjashogun> asciilifeform, okay.
Tue Mar 18 01:19:57 UTC 2014 <ninjashogun> asciilifeform, ....?
Tue Mar 18 01:19:17 UTC 2014 <asciilifeform> ninjashogun: suggested experiment. take a radio transmitter (a household walkie-talkie will do) and transmit, with a computer sitting nearby.
Tue Mar 18 01:19:13 UTC 2014 <dignork> ninjashogun, your Firefox will trust almost any certificate, unless you'd verify it manually
Tue Mar 18 01:19:03 UTC 2014 <ninjashogun> However, the current version transfers files in the plain over the USB protocol. it is 100% vulnerable to a USB mitm - which could probably be made so small that it almost fits in a usb drive.
Tue Mar 18 01:18:20 UTC 2014 <ninjashogun> and it doesn't matter if there are devices in the way.
Tue Mar 18 01:18:06 UTC 2014 <ninjashogun> asciilifeform, packet capture is not a concern because you can establish a higher secure channel from Firefox on the computer all the way to the final device. This is possible because hte device can have a known fingerprint.
Tue Mar 18 01:17:27 UTC 2014 <BingoBoingo> ninjashogun: My concern with WiFi is packet capture.
Tue Mar 18 01:17:21 UTC 2014 <asciilifeform> ninjashogun: wifi mitm takes all of five minutes to set up.
Tue Mar 18 01:17:00 UTC 2014 <ninjashogun> What changes with Wifi? Well, you can still have a man in the middle, but it would be much more prohibitive. It would need a complete access point that connects to the device masquarading as the computer, while exposing itself to the computer and hiding the true signal from the computer. It's possible, but more difficult. And in the end the computer can do a complete secure session (in javascript with the browser) compl
Tue Mar 18 01:17:00 UTC 2014 <ninjashogun> etely defeating the MITM.
Tue Mar 18 01:15:30 UTC 2014 <ninjashogun> I mean it retains no knowledge of what it signed. The person can't go home and check everything they've signed.
Tue Mar 18 01:15:04 UTC 2014 <ninjashogun> BingoBoingo, since this device as described does NOT retain the signed document in memory, it is therefore signing something without knowing what it is, if it has been transferred between the PC and storage medium.
Tue Mar 18 01:14:36 UTC 2014 <ninjashogun> BingoBoingo, also, in my personal opinion as a security observer, a man in the middle attack with a PC (or laptop) being opened, and a second usb host being inserted between the real USB and the device, whose purpose is to subtlely alter what is being signed, is a very real risk.