From 9b62d88a146cf6583070c8d174e2395f836f7974 Mon Sep 17 00:00:00 2001 From: mfwmyfacewhen <94880365+mfwmyfacewhen@users.noreply.github.com> Date: Sat, 16 Jul 2022 23:37:13 -0500 Subject: [PATCH] Grammar/wording fixes --- content/knowledge/Multi-factor Authentication.md | 14 +++++++++++--- content/os/Linux Insecurities.md | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/content/knowledge/Multi-factor Authentication.md b/content/knowledge/Multi-factor Authentication.md index cfb7620..6e10e8e 100644 --- a/content/knowledge/Multi-factor Authentication.md +++ b/content/knowledge/Multi-factor Authentication.md @@ -10,7 +10,7 @@ author: Tommy ### Email and SMS MFA -Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and recieve your MFA verification. SMS on the other hand is problematic due to the lack of any kind of encryption, making it vulnerable to sniffing. [Sim swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attacks, if carried out successfully, will allow an attacker to recieve your one time passcode while locking you out of your own account. In certain cases,websites or services may also allow the user to reset their account login by calling them using the phone number used for MFA, which could be faked with a [spoofed CallerID](https://en.wikipedia.org/wiki/Caller_ID_spoofing). +Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and receive your MFA verification. SMS, on the other hand, is problematic due to the lack of any kind of encryption, making it vulnerable to sniffing. [Sim swap](https://en.wikipedia.org/wiki/SIM_swap_scam) attacks, if carried out successfully, will allow an attacker to receive your one time passcode while locking you out of your own account. In certain cases, websites or services may also allow the user to reset their account login by calling them using the phone number used for MFA, which could be faked with a [spoofed CallerID](https://en.wikipedia.org/wiki/Caller_ID_spoofing). Only use these protocols when it is the only option you have, and be very careful with SMS MFA as it could actually worsen your security. @@ -50,7 +50,7 @@ Yubico OTP is an inferior protocol compared to TOTP since TOTP does not need tru ### FIDO2 (Fast IDentity Online) -[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards; first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. @@ -58,7 +58,15 @@ WebAuthn is the most secure and private form of second factor authentication. Wh {{< youtube id="aMo4ZlWznao">}} +<<<<<<< HEAD Since FIDO2/WebAuthn uses unique cryptographic keys with each internet site, a site pretending to be another one will not be able to get the correct response to the challenge for MFA, making FIDO2/Webauthn is invulnerable phising. It is also because of this authentication mechanism that a physical FIDO2 security key is not identifiable across different services like Yubico OTP. Even better, FIDO2 uses a counter for each authentication, which would help with detecting cloned keys. +======= +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Web services typically use WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. +>>>>>>> f39eaef (Grammar/wording fixes) If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. @@ -70,7 +78,7 @@ When buying a security key, it is important that you change the default credenti ### Backups -You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. +You should always have backups for your MFA method. Hardware security keys can get lost, stolen, or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. When using TOTP with an authenticator app, be sure to back up your recovery keys to an offline and encrypted storage device. diff --git a/content/os/Linux Insecurities.md b/content/os/Linux Insecurities.md index 01d9dc5..d93994e 100644 --- a/content/os/Linux Insecurities.md +++ b/content/os/Linux Insecurities.md @@ -4,9 +4,9 @@ tags: ['operating system', 'security', 'linux'] author: Tommy --- -There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. This is however, a far cry from reality. +There is a common misconception among privacy communities that Linux is one of the more secure operating systems, either because it is open source or because it is widely used in the cloud. However, this is a far cry from reality. -There is already a very indepth technical blog explaning the various security weaknesses of Linux by Madaidan, [Whonix](https://www.whonix.org/)'s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article [here](https://madaidans-insecurities.github.io/linux.html). +There is already a very in-depth technical blog explaining the various security weaknesses of Linux by Madaidan, [Whonix](https://www.whonix.org/)'s Security Researcher. This page will attempt to address some of the questions commonly raised in reaction to his blog post. You can find the original article [here](https://madaidans-insecurities.github.io/linux.html). ## Why is Linux used on servers if it is so insecure?