If it’s from a memorable phrase, then the phrase has a lot of redundancy and it’s hard to estimate the actual entropy. Generating a random phrase and writing it on a slip of paper works for me. Keep the paper in your pocket and refer to it when you need to, instead of trying to memorize it. Once you’ve typed it into the computer a few times, you remember it automatically. At that point you can swallow the paper or use your favorite alternate secure disposal method ;).
Yes GPG should add appropriate padding (random initialization vector) to not reveal whether two ciphertexts have the same plaintext. It makes no real attempt to conceal that the two plaintexts have the same length. If you want that, best bet is to make all ciphertexts the same length, by padding plaintexts out to 1MB or whatever, and turning off compression. Actually you might first check the manual to see if there is already an option for that. There are a lot, and I no longer keep track.
Cryptographer’s saying (Silvio Micali, I think): “A good disguise does not reveal the person’s height”. So you are on the right track.
No it’s the browser’s fault for enabling the deception. You have to assume that any given website is malicious. The browser is a security product that is supposed to be on our side and protect us from evil websites. Blaming the website for exploiting protection failures puts the responsibility in the wrong place. It’s like taking counterfeit antibiotics, getting sick, and blaming the germs.
SHA1 was the official standard when TOTP started being widely deployed. I wouldn’t worry. If you look at how the hash function is actually used in the TOTP algorithm, it would be very hard to exploit SHA-1’s vulnerability to finding free collisions. It’s much more likely that either the server or the client app gets pwned somehow.
non voip
I think this is not doable. You don’t have access to the voice codec to start with, and the phone at the other end generally won’t receive the bit stream coming out of it anyway. With a non-rooted phone it’s hard to even get to the voice stream. You might be able to send subliminal encrypted text messages through a voice channel and that could be kind of cool, and hard to detect. That idea has been around for a while but I don’t know of existing software that does it.
With VOIP, of course there are many encrypted systems available.
Added: also I assumed throughout that you meant present day mobile phones. With land phones at both ends, it may still be doable using dialup modems, but that was a 1990s thing and was pretty awful when you got down to it. It existed though.
Yes that one. Compare item 9 with https://www.rfc-editor.org/rfc/rfc8890.html
I’m not against commercial web activity obviously. It’s just that the commercial community rightly takes its own side and does a good job of it. Mozilla should correspondingly be only on the users’ side, instead of trying to be on both.
And yes I know which side supplies Mozilla with money. But a pro-user approach to the web’s evolution would IMHO have resulted in browsers staying much simpler than they are now, and therefore less expensive to maintain.
14 minute video. Ok I’ll try to view it later. The culprit is Mitchell Baker’s manifesto or whatever it was called, ditching the end user principle and putting predatory companies on an equal basis, instead of trusting that they would look after themselves perfectly well. The browser should instead be 100% on the user’s side. I’ll look for some links when I get around to it.
“Github for lesbians” sounds like something I could recommend to my friends of that persuasion though.
Added, for those of you who missed the reference: https://xkcd.com/624/
The idea is that your passwords are stored on the phone. You want a separate long random password for each account, so it’s unfeasible to remember them. It’s also a big pain to type every one such password on a screen keyboard. Thus, the password and the phone are the same factor.
I have avoided having important passwords on my phone because of this, but some people use their phones more heavily than I do. My more important accounts are only accessed via my laptop, using a TOTP phone app as 2nd factor. I rarely take the laptop out of the house.
Yeah and if your fingerprint is compromised, you can’t update it.
I worry most about the phone, since they get stolen all the time and they are full of software vulnerabilities. For my own phone I’m hoping to use a token to unlock. So that’s two objects from one category but the token should be harder to steal, if the thief even knows about it.
I expect high security stuff like banking ops is done only from on-premises terminals and not from someone’s phone. I will try to ask my buddies in that field.
Physical location can be an auth factor too: you could have a token permanently installed at your desk, so it activated only when you are there.
You will probably like the book “Security Engineering” by Ross Anderson if you’re not already familiar with it. PDFs of the full 2nd edition and part of the 3rd are here:
Fingerprint might count though I’ve considered fingerprint sensors to be a bit dubious. There was a famous incident in Germany(?) where some government muckymuck called for fingerprint based biometrics in a panel discussion at a security conference. Someone nabbed his water glass afterwards, lifted his fingerprints from it, and fooled a fingerprint reader. You can also duplicate your own fingerprints with Elmer’s glue. Just spread it on your fingertip, let it dry, and peel it off.
Password to unlock the totp app might count. Auth methods include knowledge such as passwords, objects such as tokens, and physical characteristics like fingerprints. 2fa means one thing from each of two categories. So the phone with the app and stored password is one factor, and the memorized app password is the second. But, remembering and entering complex passwords is a pain, and a lockout in the app for too many wrong passwords is a DOS vector (in the event that you get your phone back after such an attack). So it sounds annoying, idk.
I guess you might already have a similar lock on your whole phone anyway, so another one on the app might be redundant.
I have used them and they can give good security but most everyone these days uses phone apps. From an organizational perspective you might use tokens to make it harder for your staff to exfiltrate keys by rooting their phones. For an individual, carrying a FIDO token is potentially more convenient and private than carrying a phone, but the ease of pressing a button vs typing 6 digits isn’t that big a deal unless you do it constantly.
I guess there is another virtue, if you’re using the phone itself as a login device, with a password manager accessible from the phone. In that case, a 2fa app on the same phone is no longer truly a second factor. A token fixes that. I have a to-do item of setting up my phone to use a token to unlock the TOTP app. So that wouldn’t eliminate typing 6 digits. It would just make the TOTP app use real 2FA.
Idk what those apps are but if your work requires them, then you should have a separate work phone that runs whatever your boss wants it to, and your own phone that is degoogled. You want the separate phones for other reasons too, like if there is a problem at work and they need the phone, they get theirs and not yours.
Otherwise, find substitutes for those apps if you have to.
I’m not scared of governments surveying me … they don’t have the time or budget… I’m not scared fo data brokers, they don’t want my data, they want to sell it to some one else for a profit and don’t really care about it.
We’re in an era where surveillance is cheap enough that literally everyone gets surveilled, and we’re approaching one where the data will actually get analyzed (by AI) even when there’s no prior expectation that it will be interesting. And while the data sellers might not scare you, what about the buyers? E.g.
Raspberry pi cameras aren’t that bad a deal.