TechLetters #99 - password link changing; disinformation do not function as some may think; new privacy-preserving functions to be built in internet infrastructure
100th issue of TechLetters approaching. Should I end after that? Let me know if you have some thoughts: me@lukaszolejnik.com
Security
Standard password changing links. Good idea in this specification. Users often struggle with finding how to change a password, where to do this. Simply speaking all web systems should offer a password change function at a standard URL/link of the form “<example.com>/.well-known/change-password”. Just do it!
Exposure to false information does not automatically impact decisions. That is actually obvious. “Does exposure to or belief in misinformation about COVID-19 vaccines affect people’s intentions to receive such a vaccine?” Nope. “Exposure to false information had little effect”.
Google security researchers in 2012 used a USB plasma lamp to compromise/hack systems. Inject extraneous content as a 'keyboard'. Long story short: it injected content in ways that the user did not notice.
Privacy
Cloudflare proposing privacy features for the network infrastructure. A few.
The final end of paper tickets on the Paris metro. Now only techno-centric contactless cards or electronic payments left. The end of an era. A sad day for French, European, perhaps even world culture. So, why this is in “Privacy”? There’s a lot of research in mobility patterns tracking when using technological means. Whatever we may think - there’s no conceivable way of tracking paper tickets use to extract mobility patterns of a person.
Dangerous Linux kernel privacy vulnerability in TCP/IP implementation. Allowed user fingerprinting. Attack could be deployed on a malicious website! Tracking devices across browsers, browser privacy modes, containers, networks. Very serious. Privacy is hard. Smart technique. This fortunately did not work against Android because the vulnerability is found in too new Linux kernels. Linux kernel was fixed soon enough.
US proposes legalistic changes to upheld data transfers from Europe. Executive order. This includes two-step redress mechanism.
Oblivious HTTP. Specification. It’s about masking the IP address of the user visiting a website. It would make it impossible to link the activity with the user’s identity. Of course, this one has a very specialised use because if the user must be logged in or something like that, other identifying information must be present. Still, such specifications build privacy in the core network protocols, something not done in 1980s.
In case you feel it's worth it to forward this content further:
If you’d like to share: