A lot of current “best industry practices” - including the ones described - are grossly negligent. It also moves the burden of proof of responsibility for a security incident more in my direction - while providing me less and less means to prevent it.
With the iframe example - I nowadays typically can’t see if I enter my credentials (including potential 2FA to unlock a session) into a form belonging to my bank, or some malicious 3rd party without going into developer settings. That’s not acceptable.
There’s no good reason for a modern browser even allow this - just as there’s no good reason for allowing to load script files from arbitrary domains. But we now have the situation where the business model of the main browser developer depends on not stopping that kind of behaviour.
So what I want is that putting design over sensible security choices gets expensive for companies - and I’m not interested in adding some band-aid reducing their risk while this is not the case.
The only online accounts I care about are my bank accounts - for those I’m using hardware dongles for TAN generation instead of the shitty Android app their pushing (which would allow transactions without external auth, due to some “trusted device” nonsense). Everything else can either be replaced, or is on my own infrastructure.
Everything else can either be replaced, or is on my own infrastructure.
I’m curious, do you have accounts on other social media? Also, do you have any accounts on sites like shopping, government sites, etc.? And if you do, do you intentionally not use MFA (if it’s available) because you believe it should be those services making sure you are secure instead of you taking steps to make it harder to compromise your accounts?
Have you looked at it from this angle?: MFA is one of the steps that service providers are doing to be responsible with securing your account.
Security is a never ending game of cat and mouse, and the malicious actors are always a step ahead. There’s no such thing as being 100% secure, so both sides have to take steps to secure a transaction. If you believe security is 100% the burden of the provider, then we shouldn’t be using passwords and password managers in the first place, because the burden of having to maintain, secure, and memorize passwords shouldn’t be on the consumer. That’s great in theory, but not possible in practice, at least in the present.
It’s kinda weird that you like to have your own agency on things (i.e. own infrastructure) yet the minute you need to use a third party service, you let go and put everything on the service, KNOWING they are not doing a good job with it.
And if you do, do you intentionally not use MFA (if it’s available) because you believe it should be those services making sure you are secure instead of you taking steps to make it harder to compromise your accounts?
Yep. We can discuss me using a second factor once they start designing their services better.
Payment on such sites is set to require approval via my bank (hardware token), I don’t care about the purchase history - so if somebody manages to breach the account and order something it’s entirely their problem, not mine. I’m aware they might close my account when confronted with that attitude, but I’m also fine with that.
so both sides have to take steps to secure a transaction
My passwords are stored locally encrypted, with the encryption key stored in a hardware token. The browser doesn’t have access to that. That’s already more than a lot of sites are doing for their security…
yet the minute you need to use a third party service, you let go and put everything on the service, KNOWING they are not doing a good job with it.
That’s exactly why I treat any 3rd party service as throwaway.
A lot of current “best industry practices” - including the ones described - are grossly negligent. It also moves the burden of proof of responsibility for a security incident more in my direction - while providing me less and less means to prevent it.
With the iframe example - I nowadays typically can’t see if I enter my credentials (including potential 2FA to unlock a session) into a form belonging to my bank, or some malicious 3rd party without going into developer settings. That’s not acceptable.
There’s no good reason for a modern browser even allow this - just as there’s no good reason for allowing to load script files from arbitrary domains. But we now have the situation where the business model of the main browser developer depends on not stopping that kind of behaviour.
So what I want is that putting design over sensible security choices gets expensive for companies - and I’m not interested in adding some band-aid reducing their risk while this is not the case.
The only online accounts I care about are my bank accounts - for those I’m using hardware dongles for TAN generation instead of the shitty Android app their pushing (which would allow transactions without external auth, due to some “trusted device” nonsense). Everything else can either be replaced, or is on my own infrastructure.
I’m curious, do you have accounts on other social media? Also, do you have any accounts on sites like shopping, government sites, etc.? And if you do, do you intentionally not use MFA (if it’s available) because you believe it should be those services making sure you are secure instead of you taking steps to make it harder to compromise your accounts?
Have you looked at it from this angle?: MFA is one of the steps that service providers are doing to be responsible with securing your account.
Security is a never ending game of cat and mouse, and the malicious actors are always a step ahead. There’s no such thing as being 100% secure, so both sides have to take steps to secure a transaction. If you believe security is 100% the burden of the provider, then we shouldn’t be using passwords and password managers in the first place, because the burden of having to maintain, secure, and memorize passwords shouldn’t be on the consumer. That’s great in theory, but not possible in practice, at least in the present.
It’s kinda weird that you like to have your own agency on things (i.e. own infrastructure) yet the minute you need to use a third party service, you let go and put everything on the service, KNOWING they are not doing a good job with it.
Yep. We can discuss me using a second factor once they start designing their services better.
Payment on such sites is set to require approval via my bank (hardware token), I don’t care about the purchase history - so if somebody manages to breach the account and order something it’s entirely their problem, not mine. I’m aware they might close my account when confronted with that attitude, but I’m also fine with that.
My passwords are stored locally encrypted, with the encryption key stored in a hardware token. The browser doesn’t have access to that. That’s already more than a lot of sites are doing for their security…
That’s exactly why I treat any 3rd party service as throwaway.