As I understand it, the “big win” of going to U2F is that your key will only respond to the challenge after the browser verifies that it’s talking to the same site that was used for initial setup. You initialize a key for facebook.com, then it will never be used to answer a challenge for facabook.com. The thing is, password managers already solve this problem for your first factor. If I clicked on one of the phishing examples in the post, got a Google login prompt, then didn’t see at least my username auto-filled, warning bells would be going off because the browser doesn’t think it should populate form fields with the values I’ve used previously on google.com. Of course, passwords can still get phished, doesn’t address second factor, etc etc, but it’s definitely worth educating users about this – if your browser doesn’t treat the site like “real Google”, notice the signs!
Even better than enabling 2FA, which you absolutely totally should do, where possible enable authentication using an app.
Microsoft sites let you log in using the Microsoft Authenticator app, which I’m not going to say it’s impossible to subvert, but, for now, makes simple phishing attacks all but impossible.
This stunk to me too. It doesn’t pass the “smell test” at all. I don’t give Delevan the benefit of the doubt at all and call total BS. Given the basically career-ending mistake he made, I can’t say I blame him for lying though.
I would also be interested in learning more about their reasoning. Since they are listed " for non-profits and journalists," these strike me as the kind of rules that you give non-tech people to make sure they don’t do something wrong.
In that case, there are some Android phones that are secured, with os encryption on out of the box (Pixel line for sure, likely other high-end phone makes), but plenty of the budget phones are not sacrificing the horse power to encrypt. I would see advice of “iPhone or nothing” as a security shield against cheap managers. If you crack open the door to Android, you’re much more likely to get something massively insecure if you cheap out, but not so with an iPhone. And I say this as an Android or bust kind of guy.
The guide was last updated in May of 2017, so Firefox Quantum wasn’t out yet, which might receive a different mark from them than previous versions.
Ah, okay, if Iphones are encrypted by defaul than that makes a lot of sense, I did not know that. It is a much easier advice to give rather then “Here is the list of specific Android models that you can buy”
I see your point, since the app would only talk to the real website, and not the fake phishing one, this could be a practical alternative. Interesting.
Right but this is the same argument for using an iPhone (or any device) that you did not open from a visibly sealed box as shipped from the manufacturer. One of the creepy things about the Snowden docs was Cisco routers shipping from the factory pre-compromised.
So TL;DR as long as you buy them from a reputable source and they are in sealed boxes, you have to assume they are not compromised. Or else you no longer live in a sane world.
I have seen several reports of that, and it smells like CDN issues to me. The blog is behind cloudflare which is automagically doing DNS based CDN routing to the images.
There are too many third-party fingers in the Android pie for it to be secure. And Apple SoCs have been way ahead on hardware security (as well as general performance) for many years now. Your best security value at the time of writing is a certified refurbished iPhone 7 direct from Apple.
You’re right, if you have no login security they’d just pick up your phone and physically look at it. Most people have some form of login security, though, which is why you’d try to bypass that by poking through the storage system directly. That’s what default filesystem encryption solves for you.
The thing is, password managers already solve this problem for your first factor.
Yes, I was going to say the same thing. Besides taking care of storing and generating unique, strong passwords they also have this nice side effect that they are so much better than humans, even trained ones, to separate the correct domain from phising attempts. This is rarely mentioned as much as it should be, IMO.