… How about going for a EC key?? Staying with RSA is stupid at this point.
Huh?
… How about going for a EC key?? Staying with RSA is stupid at this point.
Bitwarden has a passkey service + a paid totp service, so I can always use either to log into whatever within two clicks. Yeah it’s less secure than a physical keychain but… Whatever, it’s better than passwords and as easy to use.
In any case, if you atore the backup codes in a place where you can lose them, that’s on you. Upload them into somewhere you control that has good privacy laws.
That’s for poisonous vs venomous, but poison is a generic term, the substance won’t care how it got into your bloodstream.
AFAIK their adhere more to 5E pallies, being more combat focused with options for sporadic casting, but no deity simping required.
That’s not correct. There’s user to server encryption, just not e2e. It’s less secure, sure, but given that they want to arrest the CEO over his compromise on keeping that actually private, it seems trustworthy enough, and has been over the years.
I feel like rogues will get more excited to avoid a nat 1 than eating it, given that they have a trait specifically to avoid it.
It’s not about being super stealthy, it’s about having a trait that effectively doesn’t let you roll less than a 10 in any trained/expertised skill iirc. They are not just good, they are reliably good.
it’s a reference to elden ring. That’s Tanith and Rickard/the serpent.
oh, yeah I’ve read and heard of plenty people saying that they definitely notice it. I’m lucky enough not to because most ARPGs don’t run 60FPS on intense combat, let alone 120 fps on a rtx3080 lmao.
I was talking more about the jump from 240 and beyond, which I find surprising for people to notice the upgrade on intense gaming encounters, not while calmly checking or testing. I guess that there’s people who do notice, but again, running games on such high tick rate is very expensive for the gpu and a waste most of the time.
I’m just kinda butthurt that people feel like screens below 120 are bad, when most games I play hardly run 60 fps smooth, because the market will follow and in some years we will hardly have what I consider normal monitors, and the cards will just eat way more electricity for very small gains.
Sure, but wasting double or triple the resources for that is not fine. There’s very limited places where that even is a gain on games, because outside those super competitive limited games it’s not like it matters.
In thought that 60Hz was enough for most games, and that for shooters and other real time games 120 or 144 was better. However, it reaches a point where the human eye can’t notice even if it tried.
Honestly, going up in framerate t9o much is just a waste of GPU potency and electricity.
on a similar topic, I recently upgraded my screen from two 24’’ 1080x60 to 24’’ 1080x144 & 27’’ 1080x120. I barely tell the difference but my card sure does, I quickly limited the refresh rate of both to 60 because I it’s pointless and I’ve read too many people saying that once you go 120+ it feels bad watching 60, and I really don’t want to get used to something that just makes me spend more electricity for nothing.
If you enjoy stuff fine in FullHD, don’t bother increasing the resolution. As others have explained, there are other things to upgrade before going for resolution that will have a bigger impact on the image. That said, purchasing a good screen that happens to have 2K or anything higher than 1080 is no big deal, just set your resolution to whatever you want from software and be done with it.
I wasn’t talking about situations with compromised accounts, I was talking about legitimate accounts that were created in a typical way being converted to a zero knowledge encryption method, I was aknowledging that it’s hard doing that conversion when a user might have several clients logged on (2 phones, 6 computers…).
My point was that if they have not put any motivation in the transition, they never will because the bigger the userbase, the harder for them to manage the transition. Also, I find that sad because they should have invested more effort in that instead of all the features we are getting, but whatever.
If you found the technical terms confusing, public/private keys are some sort of asymmetric “passwords” used in cryptography that secure messages, and shared keys would be symmetrical passwords. The theory between key exchanges and all around those protocols are taught in introductory courses to cryptography in bachelors and masters, and I’m sorry to say that I don’t have the energy to explain more but feel free to read about the terms if you feel like it.
If you however found it confusing because I write like crap, I’m sorry for potentially offending you with the above paragraph and I’ll blame my phone keyboard about it :)
Tegram stores all the conversation in their servers, since you don’t need to be connected in the phone or have the phone witchednon if you want to chat in the pc, or in another phone. This means that the authority is the server. WhatsApp it’s not like that, if you delete a shared photo after a while it will be cached out and you will lost access to it, meaning that they don’t store that stuff. The same thing happens with WhatsApp desktop or web, they stay in an infinite loading icon until you twitch on the phone or sometimes even unlock it.
This means that whatever telegram develops must not only keep the group chat encrypted in the server, but any valid client of a user must be able to decipher the content, so every client must somehow have the key to unlock the content. One way of doing it would be for every client of a single user to generate keys (which I’m sure they already do) and reform a key exchange between them, to share that way a single shared key, which is what identifies your account. Then toy could use that shared key to decipher the group chat shared key which telegram can store on their server or do whatever is done in those cases, I’m not that well versed.
The problem here lies in what happens when you delete and/or logout of all the accounts, currently you can login into the server again, because telegram has all the info required, but if they store the “shared key” then it’s all moot, I guess they could store a user identifying key pair, with the private key encrypted with a password, so that it can be accessed from wherever. They should as always offer MFA and passkey alternatives to be able to identify as yourself every time you want to log into a new client, without requiring the password and so on.
This is some roughly designed idea I just had that should theoretically work, but I’m sure that there’s more elegant ways to go about this.
It’s work for sure to implement all of this in a secure way, provided that you have to somehow merge everything that already exists into the new encryption model, make everyone create a password and yada yada while making sure that it’s as seamless as possible for users. However, I feel like it’s been quite a while and that if they did not do it already, theybjist won’t, we either trust them with our data or search for an alternative, and sadly there’s no alternative that has all the fuzz right now.
And it infuriates me to no end. It’s one thing to trust them and their servers and it’s another thing altogether to send actual plaintext data around the net, that’s crazy and it’s what people are implying.
For the record, until WhatsApp implemented e2e their messages were indeed fucking plaintext, and it took a while before they were pressured into e2e. It helps for them that their platform is very mobile based vs telegram, where the service is more server based. Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.
It’s encrypted though?
You are trusting their server security and them as a company, sure, but it is encrypted against the server for sure.
It’s not as good as ir could be but that’s no reason to spread misinformation.
You can have synced authentication right now on their password manager, so unless they remove features I don’t think they will remove the waybto export codes from bw.
But… PAKE is used as a method for ongoing exchange of messages, you wouldnt avoid using a password when authenticating, which is the whole point of this debacle.
In really don’t see it that complex, in my last job IT installed a passkey in my laptop, which then Microsoft used to login and thorough its SSO, I just stopped using passwords altogether after logging into my PC itself. This is way more secure for the average Joe than having 5 postists with passwords pasted in the sides of the monitors. Yes this is way more common then you think, there’s a reason passwords need to be rotated all the freaking time.
Once rolled out, workers didn’t have to do anything to authenticate, as long as they were using the work laptop the company assumed that the used was the one using it, since the laptop was registered to the user, and it was way more comfortable.
It’s not really that hard to explain to people. Sending passwords is insecure because if an attacker gets the password, you lost. With passkeys, once you set it up, google/microsoft/pepapig.com will send a request to authenticate to your phone, where you will just say “yes” and they will talk with each other to give you access. If an attacker gets hold of that message, it doesn’t get anything of value because each time pepwpig.com and your phone talk with each other, they say different stuff and the attacker would just have yesterday’s responses, so they lose.
Old people won’t adopt it unless forced, just like they adopted special passwords by adding 1 and * to whatever stupid word they use and writing it next to their work monitor, in the office. They just won’t. Either IT automates everything for them or anything we develop will get completely bypassed.
It’s like the initial authentication, where server and clientnexchange a symmetrical key with their asymmetrical keys. The difference is that in that exchange the server and the client meet for the first time whereas the point of pass keys is that once when you were already authenticated, you validated the device or whatever will hold the private key as a valid source, so then when the authentication code gets exchanged, both ends can verify that the other end is who they tell is, and both can verify the other end as valid, and thus that exchange authenticates you because you, in the past, while authenticated, trusted that device as valid.
Technically, yeah, it’s an asymmetrical key exchange. Iirc the server sends you a signed certificate and you need to unencrypt itnwithbtheir public key and sign it with your private key, so they can the getnit back and ensure that it was you who signed it, using your public key to check the validity of whatever was sent.
I don’t know enough to be 100% corrextbon the details, but the idea is that it’s an interaction between asymmetrical keys.
Soporta like how we use keysbto authenticate through github through SSL, but with an extra level of security where the server validates a key in a single endpoint, not wherever that private key would be held (like with SSL)
I’m going to get technical. A registered passkey is basically your phone or whatever holding a private key and the server holding the public one. When you want to log in, you enter the username on the service, which contacts wherever you registered it, and asks for a verification. Then, the device creates a nonce, which is a random number to be used once (NumberONCE), and a copy of that number encrypted with the private key. Then, the service can unencrypt the piece and check that the value is the same as the unencrypted value. This process is called a digital signature, it’s a way for online processes to verify the sender of whatever.
This way, the server knows that whoever is trying to authenticate is doing it from the authorised device. The difference between sending a signed nonce and a password, is that is someone steals the signed nonce they get nothing, since usually that number gets registered somewhere so it’s not valid again or something, it’s not exactly as explained but the point is that whatever is sent can’t be sent again. Something like a timestamp in milliseconds where it will be obvious that the signature would have expired. If an attacker captures the authentication attempt, with passwords they get the actual password and can the use it again whenever, while with nonces, they can’t.
Iirc, the server sends the device a code and the device must send the signed code back, so the service knows that the one trying to authenticate is the device. No need for passwords.
Now, if you need to authenticate to gain access to that private key, that’s of course an attack vector, so if you want any kind of syncronisation of passkeys, you need to make sure that you don’t need to send a password to get the pkeys. I use bitwarden, and unless I misunderstood, you don’t authenticate against the bitwarden server, when you access your vault they actually give you you the encrypted data, which you then unencrypt with the password locally on the browser. I’ll have to double checknon this because I have a 2fa on that for extra measure butidk how it actually works. My plan for the future is to actually use a yubikey to authenticate against bitwarden, following the same logic explained above, to then gain access to a bigger pool of passkeys. This way, ultimately all access is protected with my physical key which I can connect to most devices I use, and I can, with NFC use the key to authenticate the android bitwarden app, so it should be completely usable.
In any case, passkeys are better than passwords, provided toy don’t store them in a less secure place. As we all know, the security level of a system is the security level of its weakest cog.
…I admit I didn’t do the math with the amount of bits they stated xD. Still, it’s like 10 times the amount of bits, you can get a stronger EC key with 5 times less bits compared to RSA.