security-research
clients
Our great sponsors
security-research | clients | |
---|---|---|
40 | 183 | |
2,851 | 8,299 | |
2.1% | 4.0% | |
9.2 | 10.0 | |
7 days ago | 4 days ago | |
C | TypeScript | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
security-research
-
Weird things engineers believe about Web development
> Alright, let's take a step back. First, I am not a mobile developer.
I think you're whichever kind of developer your current position requires. You've been talking about Android non-stop throughout this conversation, and conversations you've had with others on this website [1]. When you were lambasting me about my perceived knowledge of mobile development you were touting your Android knowledge. Now that I've proven Android is actually one of the primary tools Google uses to promote Chrome (and you admitted you don't know much about iOS) you want to distance yourself from mobile development altogether.
> Other examples include whatever iOS does (which I don't know), containers (docker and the likes), VMs, and everything in-between (like what snap or flatpak use).
We're not discussing theoretical means with which you could sandbox an application, we're talking about how apps are actually used in reality. If you need to fire up a virtual machine every time you use your favorite desktop apps, then you're only proving my point that they're not inherently very secure. Not to mention, the average user probably has no idea what Docker or a virtual machine even is. Like I said in my original response, lots of things are possible in theory, but in practice web browsers are much better at sandboxing apps than desktop operating systems (and even better than mobile operating systems).
> If anything, modern browsers are so complex (and getting worse with time) that the attack surface is big
Ironically, a lot of that complexity arises from the web's insistence on security. V8 is complex because it has so many safeguards in place to sandbox JavaScript, and that sandboxing is taken very seriously. There's a reward anywhere from 10,000 to 150,000 USD if you can escape the sandbox [2][3]. Browsers are inherently more secure than desktop apps because they limit access to the underlying platform. Someone developing malware as a web app has to first escape the browser sandbox, just to gain the privileges that a desktop app has natively. If it helps, you can think of every desktop app as a webapp which has already escaped the browser.
> Moreover, Web UIs bring their own class of issues that don't really apply to native apps.
No, web developers have just spent so much time thinking about security, that native app developers haven't even realized these security issues are relevant yet. It took years for Apple and Google to come to the brilliant conclusion that they should notify users when an app is reading from the clipboard, something which at the time was considered just a Browser "class of issue". Maybe in 2034 they'll figure this out for desktop apps.
> But CORS is really a browser thing, I don't think it really makes sense to compare it to anything outside the "webview world".
It makes sense to compare it to things outside of the browser because it protects users and servers. You seem to want to disqualify any point I make that you can't disprove. If you don't think web technology is comparable to anything outside the browser, then what are we even arguing about? This whole discussion has been about comparing the security of web apps to non-web apps.
> If security is your concern (and you seem to insist that it is), then webapps are really not better than the alternatives. Actually, the Apple Store and the Play Store (to give an example in the mobile world) allow Apple and Google to somehow monitor the apps that users install, which is most certainly more secure than a model where anyone can load any webapp from any website.
Apple and Google have to monitor which apps make it to their app stores, BECAUSE apps are so much more prone to security problems. You once again have it completely backwards. No one has to gatekeep websites because browsers are so much better at sandboxing applications. And allow me to remind you that admitted you have no idea how iOS sandboxing works, so you can't really be confident about this stance even if it did make sense.
And now you're arguing in favor of the app store duopoly which contradicts your point about software diversity. You can't have it both ways. You're trying to hold on to two contradictory points at the same time: you don't like the supposed lack of Browser diversity (which is why you seem to detest Chromium), but you like the supposed security guarantees of the mobile app store duopoly, which is even less diverse.
[1] https://news.ycombinator.com/item?id=38919389
[2] https://github.com/google/security-research/blob/master/v8ct...
[3] https://bughunters.google.com/about/rules/5745167867576320/c...
-
One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability
This research is also available in text form.
-
Would we still create Nebula today?
But both Nebula and tinc max out at around 1 Gbit/s on my Hetzner servers, thus not using most of my 10 Gbit/s connectivity. This is because they cap out at 100% of 1 CPU. The Nebula issue about that was closed due to "inactivity" [2].
I also observed that when Nebula operates at 100% CPU usage, you get lots of package loss. This causes software that expects reasonable timings on ~0.2ms links to fail (e.g. consensus software like Consul, or Ceph). This in turn led to flakiness / intermittent outages.
I had to resolve to move the big data pushing softwares like Ceph outside of the VPN to get 10 Gbit/s speed for those, and to avoid downtimes due to the packet loss.
Such software like Ceph has its own encryption, but I don't trust it, and that mistrust was recently proven right again [3].
So I'm currently looking to move the Ceph into WireGuard.
Summary: For small-data use, tinc and Nebula are fine, but if you start to push real data, they break.
[1]: https://github.com/gsliepen/tinc/issues/218
[2]: https://github.com/slackhq/nebula/issues/637
[3]: https://github.com/google/security-research/security/advisor...
-
How Cloudflare is staying ahead of the AMD vulnerability known as “Zenbleed”
You can run the PoC if you want: https://github.com/google/security-research/tree/master/pocs...
- Finding Gadgets for CPU Side-Channels with Static Analysis Tools
-
Ask HN: Real-life, ridiculous security incidents?
* Visual Studio Code had a Remote Code Execution vulnerability triggered by a simple link https://github.com/google/security-research/security/advisor...
- RET2ASLR - return instructions from other processes can leak pointers through the Branch Target Buffer (BTB) in a reversed spectre-BTI like scenario
- Linux Kernel Spectre v2 SMT mitigations
- Share some of your favourite Free Downloads!
clients
-
Insult Passphrase Generator
I didn't go chasing through all the typescript but I'd presume adding a new PassphraseGenerationStrategy https://github.com/bitwarden/clients/blob/desktop-v2024.3.0/...
-
Bitwarden Broken in Linux
Breaking: Open Source software have BUGS!
https://github.com/bitwarden/clients/issues/6560#issuecommen...
-
Any update on importing Proton Pass .json/.zip into Bitwarden?
Bug fix for this has been merged last week. It is not in 2023.10 though, so you will have to wait for the next release of the web vault.
-
Bitwarden Adds Support for Passkeys
It's definitely out (https://github.com/bitwarden/clients/releases/tag/browser-v2... just looks like browsers haven't approved it yet.
-
Genetics firm 23andMe says user data stolen in credential stuffing attack
I'm not sure about any specifics beyond that both are getting support for them (for the keepass ecosystem I'm sure about other mobile clients, but I don't think the feature request to support passkeys has been acknowledged by the keepass2android dev sadly). Here's the keepassxc PR with some details about the implementation, and what should be done in future work on passkey support: https://github.com/keepassxreboot/keepassxc/pull/8825
Bitwarden has a few blogs if you search for bitwarden passkeys, but from skimming one it didn't seem to go into technical details (though I didn't watch the videos). I guess you could look through the PRs: https://github.com/bitwarden/clients/pulls?q=is%3Apr+passkey... but I don't really feel like doing that.
- Bitwarden: Free, open-source password manager
-
Is it really legit?
Bitwarden has regular external audits (here is the 2022 audit) and the code (both server side and client side) is open source (here f.e).
-
Bitwarden Secrets Manager now generally available
/bitwarden_license directory
Now the secret manager is in the `bitwarden_license` directory so it is not a GPL covered product and not open source but covered by BITWARDEN LICENSE AGREEMENT [3]. It does not allow you to use it as OSS.
[1] https://github.com/bitwarden/clients/tree/master/bitwarden_l...
- Bitwarden autofill login is awful.
-
My Extension is not acting right, can't get into my Vault
There are apparently known problems (GitHub Issues #5807) in both Edge and FireFox with this newly released browser extension update (2023.7.0), which should hopefully be fixed soon. In the meantime, on Edge, you can revert to version 2023.5.1 for Chromium, which is still available from the Google Chrome store:
What are some alternatives?
gcp-dhcp-takeover-code-exec - Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
vaultwarden - Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
tailscale - The easiest, most secure way to use WireGuard and 2FA.
gnome-clipboard-history - Gnome Clipboard History is a clipboard manager Gnome extension that saves what you've copied into an easily accessible, searchable history panel.
security-research-1 - This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
bw_web_builds - Web vault builds for vaultwarden
wuffs - Wrangling Untrusted File Formats Safely
link-preview-js - Parse and/or extract web links meta information: title, description, images, videos, etc. [via OpenGraph], runs on mobiles and node.
wesher - wireguard overlay mesh network manager
Ditto - Ditto is an extension to the Windows Clipboard. You copy something to the Clipboard and Ditto takes what you copied and stores it in a database to retrieve at a later time.
mira-project - mira rewrite in cxx
bitwarden - Bitwarden client applications (web, browser extension, desktop, and cli) [Moved to: https://github.com/bitwarden/clients]