Spotlight7573

joined 1 year ago
[–] Spotlight7573 6 points 1 month ago (1 children)

You mean like https://acceptableads.com/ which is only supported so far by Adblock Plus (and its parent company)?

The problem is until there is some kind of penalty for being too annoying or too resource consuming, it will always be a race to the bottom with more, worse ads. As people add ad blockers to their browsers, the user pool that isn't running them begins to dry up and more ads are needed to keep the same revenue. This results in even more people blocking them.

Two of the things I had hope for on the privacy side was Mozilla's Privacy-Preserving Attribution for ad attribution and Google's Privacy Sandbox collection of features for targeting like the Topics API. Both would have been better for privacy than the current system of granular, individual user tracking across sites.

If those two get wide enough adoption, regulation could be put in place to limit the old methods as there would be a better replacement available without killing the whole current ad supported economy of most sites. I get that strictly speaking from a privacy perspective 'more anonymous/private tracking' < 'no tracking' but I really don't want perfect to be the enemy of better.

[–] Spotlight7573 2 points 1 month ago

While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

Like KeePassXC:

https://keepassxc.org/blog/2024-03-10-2.7.7-released/

As for attestation to how the key is stored securely (like in a hardware key), Apple's implementation doesn't support it for iCloud ones, so any site that tries to require it wouldn't work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that's the only thing that's used).

[–] Spotlight7573 6 points 1 month ago

I think you mean that passkeys potentially skip the something you know. The something you have is the private key for the passkey (however it's stored, in hardware or in software, etc). Unlocking access to that private key is done on the local device such as through a PIN/password or biometrics and gives you the second factor of something you know or something you are. If you have your password manager vault set to automatically unlock on your device for example, then that skips the something you know part.

[–] Spotlight7573 1 points 1 month ago

Which is really stupid of them but technically within spec currently.

[–] Spotlight7573 3 points 1 month ago

Only for ones that are explicitly a replacement for them.

gorhill's reasoning from the FAQ:

Will uBO automatically transition to uBO Lite in the Chrome Web Store?

No.

You will have to find an alternative to uBO before Google Chrome disables it for good.

I consider uBO Lite to be too different from uBO to be an automatic replacement. You will have to explicitly find a replacement to uBO according to what you expect from a content blocker. uBO Lite may or may not fulfill your expectations.

[–] Spotlight7573 7 points 1 month ago (2 children)

From the article's second paragraph:

uBlock Origin has launched uBlock Origin Lite, which uses Manifest V3, in response to the transition.

[–] Spotlight7573 14 points 1 month ago (3 children)

A Chromium thing. Some Chromium-based browsers are going to keep some kind of internal ad blocker that has more functionality than MV3 allows for but I don't know of any that are keeping the older functionality for extensions in general.

[–] Spotlight7573 3 points 1 month ago

Your vault is encrypted on your device before it's sent to Bitwarden's servers, so even they don't have access to your passwords and passkeys.

More info on how it is encrypted is here:

https://bitwarden.com/help/what-encryption-is-used/

Pretty much every password manager works like this. Having access to your data would be a liability for them.

[–] Spotlight7573 3 points 1 month ago (1 children)

Does it work like that? Everything I see says they’re tied to that device.

It depends on what kind you want to use. If you want the most security, you can store them on something like a Yubikey, with it only being on that device and not exportable. If you get a new device, you'll need to add that new device to your accounts. For less security but more convenience, you can have them stored in a password manager that can be synced to some service (self-hosted or in the cloud) or has a database file that can be copied.

Fair, I guess I’ve never lost a password because it’s just a text string in my PW manager, not some auth process that can fail if things don’t work just right.

That's fair. It can be a bit of a mess with different browser, OS, and password manager support and their interactions but it has continued to get better as there is more adoption and development.

[–] Spotlight7573 1 points 1 month ago (1 children)

Isn't the sync for keepass-compatible apps just syncing a normal file?

[–] Spotlight7573 3 points 1 month ago

If it makes you feel better, most PINs on modern devices are hardware backed in some way (TPM, secure enclave, etc) and do things like rate limiting. They'll lock out using a PIN if it's entered incorrectly too many times.

 

The Pro Codes Act has been submitted as an amendment to the "must pass" National Defense Authorization Act (NDAA). It allows copyrighted standards to be incorporated by reference into the law, preventing people from accessing or sharing these standards except through the systems the standards development organizations have that "makes all portions of the standard so incorporated publicly accessible online at no monetary cost and in a format that includes a searchable table of contents and index, or equivalent aids to facilitate the location of specific content. " Note that that does not include searchable text, the ability to access it without a login, or any ability to host it elsewhere (such as alongside the laws that incorporate it).

The NDAA bill:

https://rules.house.gov/bill/118/hr-8070

The amendment:

https://amendments-rules.house.gov/amendments/ISSA_180_xml240531155108634.pdf

 

the company says that Recall will be opt-in by default, so users will need to decide to turn it on

125
submitted 5 months ago* (last edited 5 months ago) by Spotlight7573 to c/technology
 

From the article:

Google must face a £13.6bn lawsuit alleging it has too much power over the online advertising market, a court has ruled.

The case, brought by a group called Ad Tech Collective Action LLP, alleges the search giant behaved in an anti-competitive way which caused online publishers in the UK to lose money.

And the actual case at the UK's Competition Appeal Tribunal:

https://www.catribunal.org.uk/cases/15727722-15827723-ad-tech-collective-action-llp

The claims by Ad Tech Collective Action LLP are for loss and damage allegedly caused by the Proposed Defendants’ breach of statutory duty by their infringement of section 18 of the Competition Act 1998 and Article 102 of the Treaty on the Functioning of the European Union. The PCR seeks to recover damages to compensate UK-domiciled publishers and publisher partners, for alleged harm in the form of lower revenues caused by the Proposed Defendants' conduct in the ad tech sector.

 

Upcoming Policy Changes

One of the major focal points of Version 1.5 requires that applicants seeking inclusion in the Chrome Root Store must support automated certificate issuance and management. [...] It’s important to note that these new requirements do not prohibit Chrome Root Store applicants from supporting “non-automated” methods of certificate issuance and renewal, nor require website operators to only rely on the automated solution(s) for certificate issuance and renewal. The intent behind this policy update is to make automated certificate issuance an option for a CA owner’s customers.

 

Google is looking to change the policy of the Chrome Root Store (used by Chrome to verify TLS certificates that protect websites and other services) to require "that applicants seeking inclusion in the Chrome Root Store must support automated certificate issuance and management". They can still provide a manual method for sites that want to get certificates the old way but they will need to have some kind of automated method available.

 

[...]

To provide better security, Google introduced an Enhanced Safe Browsing feature in 2020 that offers real-time protection from malicious sites you are visiting. It does this by checking in real-time against Google's cloud database to see if a site is malicious and should be blocked.

[...]

Google announced today that it is rolling out the Enhanced Safe Browsing feature to all Chrome users over the coming weeks without any way to go back to the legacy version.

The browser developer says it's doing this as the locally hosted Safe Browsing list is only updated every 30 to 60 minutes, but 60% of all phishing domains last only 10 minutes. This creates a significant time gap that leaves people are unprotected from new malicious URLs.

[...]

 

[...]

To provide better security, Google introduced an Enhanced Safe Browsing feature in 2020 that offers real-time protection from malicious sites you are visiting. It does this by checking in real-time against Google's cloud database to see if a site is malicious and should be blocked.

[...]

Google announced today that it is rolling out the Enhanced Safe Browsing feature to all Chrome users over the coming weeks without any way to go back to the legacy version.

The browser developer says it's doing this as the locally hosted Safe Browsing list is only updated every 30 to 60 minutes, but 60% of all phishing domains last only 10 minutes. This creates a significant time gap that leaves people are unprotected from new malicious URLs.

[...]

 

cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

 

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

 

A hybrid quantum-resistant Key Encapsulation Method combined with a regular elliptic curve backup will be available in Chrome 116 for securing connections.

 

Google Chrome will soon be supporting a hybrid elliptic curve + quantum-resistant Kyber-768 system for key exchange in Chrome 116. This should provide some protection in case the quantum-resistant part has flaws, like some other proposed solutions have had. They're looking into this now to give time for it to get implemented by browsers, servers, and middleboxes, and hopefully prevent Harvest Now, Decrypt Later attacks.

view more: next ›