On Nov 12, 2013, at 8:56 AM, Robin Wilton <[email protected]> wrote: > For once, I am delighted that the LinkedIn authentication URL embedded in > their emails to me never works... > (the redirect to LinkedIn seems to work, but then the site goes into a tight > loop for some reason I am really not motivated to figure out).
Doesn't matter. Their goal is to exploit you, not the server. So as long as you log into A site which examining page content in the clear can identify you as you, this One Simple Trick (tm) works. There are also tons of other targets if you don't mind being a little less discriminate. E.g. advertising elements in the clear. > Incidentally, if I understood Nick's analysis correctly, steps (b) and ( c ) > are a good example of why I distrust app-based clients for services like > LinkedIn - because it seems far harder to stop them using replayable > long-term tokens than it is to stop a browser from doing so. A bigger reason to not use app-based clients is the advertisement libraries, which tend to also run in the clear and introduce their own horrid suite of vulnerabilities which are also ripe targets for packet injection, either from the blackbone or on the local WiFi: http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html Overall, IMO, Android is only secure if you never install any applications. As soon as you install too many random applications (especially advertisement-sponsored applications) from the Google Play store, your phone should be assumed to be vulnerable to network-based attacks from any adversary who can see your traffic. iOS is much better in this respect, simply because without escalating to root (a jailbreak exploit), even a corrupted app can't do all that much, since apple provides a MUCH more limited API and privacy-sensitive items are prompt on first use. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
