Security & Privacy Archives - Page 11 of 12 - Chipp.in Tech News and Reviews

There is more to security than Strong Passwords and 2FA

Posted on November 22, 2023November 22, 2023 by Martin Brinkmann

You may have heard it a thousand times already, but here it comes again: protecting accounts with strong and unique passwords, and using a second form of authentication is essential to security.

While the main focus seems to be on this recommendation, many guides fail to mention other essentials. One example: while strong passwords and 2FA keep attackers out, they won’t help you if you get locked out of an account.

What happens to your data if you get banned? What if your desktop computer, laptop or mobile device gets stolen?

There is more to security than strong passwords. This guide looks at these, often neglected, security options.

Encryption is key

Encryption protects data against unauthorized access. Encrypt data on all of your devices to make sure that it is protected. Encryption helps when devices are turned off. While it is still possible to create a dump of the storage device or try to brute force the encryption, this is a futile attempt if the password is strong.

Encryption is enabled automatically on Android and iOS devices when you pick a PIN. It is important to select a strong PIN, not the four-digit number that is convenient to type. Yes, that makes unlocking the device painful, but it is essential when it comes to protecting data on it.

On Windows, data gets encrypted, but only for Microsoft account users. While you may use Bitlocker on Pro, Education and Enterprise devices to protect the entire system, I recommend using a different encryption software. VeraCrypt is open source and can encrypt the system drive and any other storage device.

Recovery Codes

Recovery codes help you get back into accounts or devices if you forget your password or lose access to something else that you need to sign-in. This can be a Titan security key, a hardware key used for 2-step verification, or access to an email account.

The main idea behind recovery keys is to use them in emergency situations. You lose access to the dedicated two-factor authentication method and can’t sign-in to your account anymore. Setting up multiple methods helps against this, but you may also use recovery codes instead.

Recovery keys may be used to regain access to the account. Many online services that support two-factor authentication support recovery keys.

These are highlighted most of the time when you set up two-factor authentication for the account. It is a good idea to keep these codes secure, for instance as notes in your password manager.

Backups are essential

Backups are a burden as long as you don’t require them. They help you recover data that may not be accessible anymore. If a device breaks or gets stolen, when you forget your password or delete something accidentally.

Creating local backups regularly is an essential security precaution. Whether you keep all backups in one place or spread them is up to you. It depends on the device as well.

If data is important, you may want to store backups separate from the actual device.

Computer users may want to use external storage devices to create backups. These come in different shapes and form factors.

I recommend the free Paragon Backup & Recovery software for the task on Windows, but there are lots of other options available.

Android and iOS devices support backups to Google’s or Apple’s cloud infrastructure. You may also connect your device to your PC or Mac, and transfer important data, which often means images and videos, to the device.

Content Blockers

Content blockers prevent certain types of attacks. Extensions such as uBlock Origin don’t just block advertisement, they may also block known malware sites, improve your privacy online and much more.

Advertisement is used regularly for attacks. This can be as simple as placing an ad for a program download to lure users to a site where malware is offered.

Using content blockers protects you while you are browsing the Internet. You may want to disable the blocker for sites that you value though, as they rely on the revenue and may shut down otherwise.

Antivirus and Firewall

On PC, you need to make sure that you have a proper antivirus solution and firewall installed. Most Windows users may find Windows Defender adequate.

Advanced users may install third-party antivirus solutions, such as BitDefender Free, to protect their PCs.

No antivirus solution is perfect. Thousands of new threats emerge daily and while most users will never notice most of them, there is always the chance that one slips through defences.

Common sense is important as well. The best antivirus solution can’t protect you if you allow malware to run on your devices.

Firewalls, when properly configured, control incoming and outgoing traffic. They may block certain threats outright, by refusing connections.

Windows comes with its own firewall, which is fine for most use cases. Most advanced antivirus solutions come with firewalls.

How to set up a Titan Security Key to protect your Google account (and others)

Posted on November 21, 2023November 21, 2023 by Martin Brinkmann

Google launched an updated Titan Security Key last week. The new hardware key supports FIDO2, which means that it is compatible with a wide range of services. While you may use it exclusively for Google accounts, you can store up to 250 entries using it.

Titan Security Key works similarly to other hardware keys, including latest generation YubiKey products. Google promises state of the art encryption and protections. For users, it is an option to protect their accounts with two-factor authentication. You’d use the hardware key instead of an authenticator app or other means to provide the second form of authentication.

I bought a Titan Security Key of the latest generation last week to check it out. This guide includes step-by-step instructions to set up the hardware key to protect your Google account and others. It includes important information also, for instance, how you can protect yourself to avoid locking yourself out.

Did you know that Google plans to delete inactive Google accounts?

Setting up the Google Titan Security Key

The box includes the selected hardware key — there are two versions that have different USB ports, USB-A or USB-C, but are functional identical otherwise. It also includes a small getting started booklet, which simply tells you to go to this Google website to get started. There is also a bigger Safety & Warranty booklet that no one reads. The USB-A version includes an USB-C to USB-A adapter, the USB-C version of the hardware key none.

Protecting the Google account with the key is a simple process that requires the following steps:

Open this Google Security page in a modern browser, e.g., Firefox, Microsoft Edge, Google Chrome, Safari, Vivaldi, Opera or Brave.
- If you prefer to go there manually, open this Google Account Help page instead and click on “Enroll your security key” under Step 2.
A prompt asks you to keep the key disconnected from the device for now. Select the Next button to continue.
A set up request is displayed as a prompt. Select OK to continue the process.
Another prompt explains that Google will see the make and model of the security now if you continue. Select OK to proceed.
Connect the security key to the device when prompted to do so.
Type a name for the key on the “Security Key registered” page and select Done.

This is the entire process.

Word of Caution

The Security Key becomes the default two-factor authentication option. It is advisable to make sure that there is at least one additional option enabled. This can be an authenticator app, voice or text message, another security key, Google prompts or backup codes.

If you lose the Titan Security Key and don’t have another option enabled in the account, you will be locked out of the account.

Signing-in with the Hardware security key

The first sign-in step is exactly the same as before. You need to supply your Google email address and password to continue.

The 2-step verification prompt lists the email address. Make sure it is the right one. There is a menu to switch to another email address; useful if you set up more than one account.

Select Continue to authenticate using the Titan Security Key. You may also select “Try another way”, which you need to do if you don’t have the hardware key with out. The option “Don’t ask again on this device” should only be used on personal devices.

You are now asked to touch your security key. It contains a small area that reacts to touch. This acts as local confirmation to proceed.

You should now be logged-in to the account.

The same option is also available on mobile devices. Just connect the security key to the mobile device and follow the instructions to sign-in.

Non-Google accounts

Non-Google accounts can be saved to the key. It supports up to 250 keys, e.g. passkeys, that you may add. Numerous services and companies support passkeys already and more will follow in the coming years.

Generally speaking, all you need to do is open the 2-step verification preferences at the service and follow the instructions to protect the account using a hardware key.

Other useful resources

Here is a list of Google resources that you may find useful:

Passkeys Management – this page lists all devices linked to the Google Account. You can edit or remove them, and create new passkeys on the page.
Security Keys Management — similarly, this page lists all security keys associated with the Google account.
Support page with information about lost security keys.

Google’s key or third-party keys?

There are other keys besides Google’s. I already mentioned Yubico keys as an alternative, but there are many more. To name a few: Onlykey, Feitian, or Thetis. All support FIDO2 and offer similar functionality.

Trust plays a role, but so may other factors, including price or the built-in security. There is no clear answer to that question. If you use a Google account and want to protect it, there is nothing wrong with using a Titan Security Key to do so. Similarly, you may use other hardware keys for the same protections.

Now You: do you use hardware keys?

Is Google turning Chrome into its agent?

Posted on November 17, 2023November 17, 2023 by Martin Brinkmann

What would you do, if you were in control of the world’s most used search engine and web browser, and also the world’s largest advertising company? Would you keep things strictly separate, even if it would mean leaving billions of Dollar on the table?

Google’s control of advertising, to a large degree at least, and the Chrome web browser is a problem. The company has made several attempts in the past to push technologies that favor it through Google Chrome.

The oddly named Privacy Sandbox is just one attempt. Google uses the name to portrait an image of improvement for users of the Chrome browser. While not totally wrong, as it is a better system in some regards than the currently used third-party cookie tracking system, it is not the Holy Grail of privacy efforts Google portraits it as.

See, privacy sandbox is still about tracking. What sets it apart from cookie-based tracking are two things: first, that users are associated with interest groups instead of individual interests. Chrome looks at the browsing history and assigns groups to the user. Browse lots of car, sports or knitting sites? Chrome picks these as your interests and advertisers may use the information to display advertisement that falls into the groups.

Second, because it puts Google at the center of control of the feature. Google controls Chromium by and large, and also Chrome. If the system is baked into the browser, Google is in control. It can make adjustments and other changes, and everyone has to play ball to avoid being shut out entirely from the system.

Manifest V3

Privacy Sandbox is not the only attempt that mixes Google’s core interests, advertising, with the development of Internet browsers.

Manifest V3 is a new ruleset for extensions. Google had to postpone the release multiple times as protests sounded loud and clear throughout the Internet.

Apart from some technical issues, missing APIs and the like, Manifest V3 is clearly aimed at making content blockers and other privacy tools less useful. It would go too far to dive deep into technicalities, only this much.

Content blockers, such as uBlock Origin, reign freely under Manifest V2 rules. When they are active, they tell the browser what to do with certain requests. The browser then acts accordingly, for instance by blocking advertisement or allowing a video to play.

Under Manifest V3, that power moves to the browser. The browser controls the blocking and extensions may only make “declarations”. The extension would tell the browser to block or allow a certain element, and the browser would act accordingly.

Google’s explanation for this is improved privacy. Extensions are no longer able to access “potentially sensitive user data”, which in turn makes extensions safer to use.

The argument is flawed, as extensions still have access to the data. They may still use the old API, but only with read access. This means, that they can still access all the data, which in turn means that nothing is won or lost in regards to privacy.

Google announced this week that it will go forward with Manifest V3. Old extensions, those based on Manifest V2, will be disabled automatically for most Chrome users by mid-2024. Enterprise users may get a 1-year extension through a special policy.

Closing Words

There is a conflict of interest at work. Google depends on the advertising business and will go through great lengths to expand it and keep its dominance in the sector. To be fair, the vast majority of changes that are made to Chromium and Google Chrome have nothing to do with Google’s advertising business.

Still, some of the changes appear to favor the business over the interests of users of the browser.

It remains to be seen if the changes will lead to a mass exodus of Chrome users to other platforms. It is too early to tell, especially since the changes affect a sizeable but still relatively small part of the entire Chrome population.

Now You: do you use Google Chrome?

Beware: Human reviewers may access your Google Bard conversations

Posted on November 8, 2023November 8, 2023 by Martin Brinkmann

Tools like Bing Chat, Windows Copilot, ChatGPT, Claude or Google Bard have seen a rise to prominence this year. These advanced chatbots promise to deliver information to users who chat with them. While you can’t ask them anything, as some content is locked down, you can get answers and information about lots of things.

Ask about the Mona Lisa or the Hallgrímskirkja and you get a good overview of these items, usually. You may get instructions on fixing PC issues or your car, and even medical advice is not out of the question.

There is always the chance of hallucination, which more or less refers to it returning content that is not true. Still, many tech companies are pushing AI like crazy. Microsoft, for example, added Bing Chat to Windows and several other company products.

Google Bard and Human Reviewers

Google confirmed on the Bard Help website that human reviewers may look at conversations. Feedback from Bard users plays an important role in improving Bard, but Google says that this is not enough. Human reviewers are “a necessary step of the model improvement process” according to the company.

The reviews, ratings and rewrites of human reviewers helps Google improve the quality of its generative machine-learning models”.

Google explains that conversations that human reviewers access are unlinked from Google accounts. Furthermore, random samples are picked for human review and “only a portion of all Bard conversations are reviewed”.

While that sounds reassuring, it is clear that input from human users of Bard may reveal their identity. Google recommends to users that they don’t reveal anything in conversations with Bard that they don’t want human reviewers to potentially have access to.

To Google’s credit, it highlights the fact that human reviewers may access conversations on the Bard website prominently.

What Human Reviewers do

Reviewers look for “low-quality, inaccurate, or harmful” Bard responses according to Google. Once identified, evaluators suggests higher-quality responses. These are then used to “create a batter dataset for generative machine-learning models”.

In other words, Google is using human reviewers to improve Bard’s responses to user queries.

How to prevent the sharing with reviewers

Google Bard users have just one option to prevent the sharing of their conversations with human reviewers. This requires disabling the Bard Activity. Here is a step-by-step guide on disabling Bard Activity:

Open the Bard Activity website on Google’s My Activity hub.
Activate the toggle to turn off Bard Activity on the page that opens. Note that you may also delete existing conversations while there.

Note that Bard activity won’t be saved to the Google account anymore. In other words, you can’t access conversations from one device on another when the feature is disabled.

The deletion doesn’t affect conversations that has been reviewed by human reviewers already. Google retains that data and related data for up to three years according to the privacy information on the Bard Help website.

Related information may include the language, device type and location info according to Google.

Closing Words

The advice to never include personal information that could be traced back to you is as old as the Internet. While this limits some conversations with AI, it is still sound advice.

Bard users who want to include personal information in their conversations may want to turn off Bard Activity first, as this prevents access for human reviewers.

Now You: do you use AI tools?

Google Play to highlight apps with independent security reviews

Posted on November 6, 2023November 6, 2023 by Martin Brinkmann

Starting with apps in the VPN category, Google’s Play Store is soon highlighting apps with independent security reviews.

The company announced the change on the official Google Security blog. Google Android users who visit Google Play to browse for apps may open the data safety section for security and privacy information.

There, they will soon find the new independent security review label. Google plans to roll this out to apps in the VPN category first.

Google explains that VPN apps handle “sensitive and significant amount(s) of user data”. This makes them an excellent category to introduce the functionality.

Independent Security Reviews banner on Google Play

A new Independent Security Review banner is already displayed to Android users who search for VPN apps on Google Play. The banner, displayed beneath a list of advertisement for VPN apps, informs users about the security feature.

The banner lists the associated badge and includes the following description:

VPN apps with this badge in the Data safety section have been independently validated against a global security standard.

A link opens the website of the App Defense Alliance that lists all VPN apps with the badge. Only eight VPN apps are on the list currently. They are:

Aloha Browser + Private VPN
ExpressVPN: VPN Fast & Secure
Google One
NordVPN: private & secure VPN
Private Internet Access VPN
SkyVPN – Fast Secure VPN
Tomato VPN | VPN Proxy
vpnify – Unlimited VPN Proxy

A tap on any app and the selection of Data safety displays the new badge, provided that the app has undergone the security validation by App Defense Alliance’s global security standard. Those without it have not, but that does not mean that they have not passed other security audits.

What this means

Google highlights VPN apps that have passed the security validation on Google Play. The badge is not displayed on the apps’ main page, however, and it is easily overlooked in the data safety section.

Apps that passed validation meet “industry mobile security and privacy minimum best practices” according to Google. The badge does not “imply that a product is free of vulnerabilities” though.

To sum it up: the badge highlights that apps have passed independent security reviews, which is a good thing. Other apps, without the badge, may also have passed security audits. Some of these audits may have been more thorough than the one required to get the badge on Google Play.

Verdict

The new badge is a welcome addition to Google Play as it may help users pick a VPN app. While there are other criteria, such as features and performance, security is without doubt important.

That Google displays ads for VPN apps before the Independent Security Reviews badge is a problem. The listing in Data Safety makes sense, but Google might want to consider adding the badge to an application’s main page as well.

All in all, it is a welcome addition on Google Play. Users may still want to research VPN providers before installing any of them on their Android devices.

Now You: do you use VPN apps on your mobile devices?

How to block Firefox from importing OS Certificate Authorities

Posted on October 26, 2023October 26, 2023 by Martin Brinkmann

Mozilla’s Firefox web browser maintains its own root certificate store by default. The browser uses these as “trust anchors” and the functionality is essential for making sure that only trusted SSL/TLS certificates are used by the browser.

Starting in Firefox 120, Firefox will automatically trust operating sysdtem certificates installed by the user or an administrators.

The beta release notes offer the following explanation:

By default, Firefox now uses TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the “Privacy & Security” section of Firefox settings, under “Certificates”.

Administrators may add certificates to the operating system for a number of reasons. Some applications and devices may require them to work properly, and they may also be required in development environments. Antivirus solutions on Windows may try and register with Firefox to monitor data.

Blocking Firefox from trusting OS certificates

Firefox block third-party root certificates installed by the user

Firefox users may disable the functionality in Firefox 120 and newer versions. It is enabled by default. To modify this setting, follow these instructions:

Load about:preferences#privacy in the Firefox address bar to open the Privacy settings.
Scroll down to the Security section.
Locate Certificates there.
Remove the checkmark from “Allow Firefox to automatically trust third-party root certificates you install”.

You can undo the change at any time by checking the box again.

Another certificate preference

Firefox supports an Enterprise root preference already. When the browser runs into a TLS connection error, it will enable this Enterprise Roots preference automatically. This imports “any root certificate authorities” that users or administrators have added to the operating system.

Firefox tries to connect again to the site that threw the error. If successful, Firefox will keep the preference enabled and thus also the imported certificates.

Here is how this automatic behavior gets disabled:

Load about:config in the Firefox address bar.
Click “Accept the Risk and Continue” if the warning page is displayed.
Search for security.certerrors.mitm.auto_enable_enterprise_roots.
Change the value from True to False with a double-click or by using the button.
Search for security.enterprise_roots.enabled.
Change the value from True to False.
Restart the Firefox web browser.

Closing Words

Most Firefox users may want to keep the default as these are designed to minimize connection errors and issues. Users who want to be in full control may disable the functionality, on the other hand.

O&O ShutUp10++ review: tame Windows’ data hunger

Posted on October 25, 2023October 25, 2023 by Martin Brinkmann

O&O ShutUp10++ is a free tool for Microsoft’s Windows operating system to improve privacy. Designed initially for Windows 10, the program is now also available for Windows 11.

While its main focus is on blocking the operating system’s data hunger, it is also a helpful tool for managing other Windows settings.

First, the basics. You can download the free tool from the official project website. Just run the program after download, an installation is not required. Note that elevated privileges are required to modify settings on the system.

The main interface looks like this on start.

O&O ShutUp10++ groups settings for better recognition. You may disable that under View > Group by Categories if you prefer a long list. There is also a search to find settings that match search terms quickly.

Using O&O ShutUp10++ to improve Windows Privacy

All tweaks use a color coding to indicate whether a feature is enabled or disabled. Each setting has a toggle to turn a feature on or off. A short description and a recommendation is also displayed.

Note that you may hover over any description and click with the left mouse button to display additional information. Excellent if you need to know more about a setting.

Many options are self-explanatory, but some may require additional research. “Disable People icon in the taskbar” is quite clear, but “disable input personalization” or “disable automatic receipt of updates” may not.

You can modify individual options with a click on the switch next to a setting. The program prompts you to create a system restore point, which you should accept. It allows you to restore the system to the previous state. The settings do not have the capacity to break the system, but it is still better to have a restore option.

The Actions menu at the top lists bulk options for the most part. You may use them to apply all recommended settings among other things. These are safe changes that should not impact usability on the device.

Options to apply “somewhat recommended” or all settings are also available, but this is not recommended. It is better to go through the remaining settings manually to make changes.

The two other options let you reset everything to factory defaults and to create a system restore point manually.

Administrators may also switch between the user and machine tabs. User settings apply only to the logged-in user, machine to all users on the system.

Verdict

O&O ShutUp10++ is a useful tool for Windows users. It is easy to use, free for personal use and includes major privacy settings. The settings don’t have the capacity to break a system, but some of the advanced options may impact certain settings or features on the device. It is easy enough to restore these, should you ever run into any issues in this regard.

All in all, O&O ShutUp10++ is an excellent program that every Windows user should run after installation and major upgrades. O&O Software updates the program frequently to include new options, which is another major plus.

Everyone wants your browsing data

Posted on October 22, 2023October 22, 2023 by Martin Brinkmann

On today’s Internet, data is as precious as gold was in the Ancient world. Browsing data is data that is created automatically when you browse the Internet.

Whenever you visit a website, lots of things happen in the background. Requests are made, cookies and site data may be saved to the local system, and the cache is filled with data. The browser adds a record to its browsing history and maybe to other logs, e.g., when files get downloaded.

Data stored on third-party servers is not considered browsing data, but it may be generated as well.

This browsing data reveals a lot about you. What you like or your interests. It may reveal how old you are, if you are ill or looking for companionship. It may reveal what you plan to buy next or have bought, what you may need or needed.

Browsing data is personal data. This makes it desirable for nearly everyone on today’s Internet.

Who wants it and why: advertising

When asked, most Internet users would probably mention advertising first. Today’s advertising on the Internet relies to a large degree on information. The more information about a user, the better the chance to display targeted adverts and produce sales.

Tracking plays a large role in this. Most Internet users would probably disallow tracking if there was an easy switch integrated in browsers. There is none.

Google would be in an excellent position to create such a switch: it controls Chromium, the world’s most widely used browser source and Chrome,, the world’s most widely used browser. It also operates some of the world’s most visited websites.

Google is, however, an advertising company. Most of its revenue comes from advertising, which means that it benefits from the system that is in place.

But Google is ending third-party cookies in 2024, I hear you say. This is true, but this is not done without introducing another system that works in its place beforehand.

Built-into Google Chrome directly, it analyzes the browsing history locally to assign interests groups to the user. Websites may also suggests interests based on your visits.

Sites and advertisers may use the information for displaying ads based on your interests.

Google calls these “Interests estimated by Chrome” and “sites you visit that define your interests”.

Granted, Google Chrome includes controls to turn all of this off. There is also a popup with information about this in Chrome.

As is often the case in life, the wording matters. Google calls this Privacy Sandbox, which is an euphemistic term. It may be better than tracking via third-party cookies, but it is still tracking in the end. By the way, you can already disable third-party cookies in your browser, no need to wait for Google to do so in 2024.

Quick Tip: disabling Chrome’s Privacy Sandbox

All you have to do is the following:

Load chrome://settings/privacySandbox in the Chrome address bar.
Disable “Trials” on the page that opens.

Note that this page is not final and that Google will likely make changes to it. You may also want to click on every option there to expand it and make sure it is turned off as well.

These are at the time of writing:

Browser-based ad personalization
Ad measurement
Spam & fraud protection.

AI wants it, too

AI has taken a big leap in 2023. New products release on a weekly basis. All of these have in common that they require data, lots of data.

It is used for training for the most part. A current trend is the integration of AI services into browsers and other programs. Even Windows 11 has its own AI integration, called Windows Copilot now.

These work best if they got access to user data. Personal data usually requires giving consent in these cases, for instance when the request comes from a user.

Microsoft is testing a new option in Edge Canary currently that gives Bing Chat Microsoft access to all page content. It is disabled by default, as it sends all browsing data to Microsoft “to make AI-generated answers and suggestions more relevant on Copilot”.

Not all AI products require access to personal data. The basic chat AI tools act on user input. Personalization, on the other hand, gets better with data. If an AI knows your interests, it may be of better service.

Take holiday planning as an example. If you ask AI for 5 sights in Barcelona, it may look like this: Gothic Quarter, Sagrada Familia, Casa Batlló, Casa Amatller and Park Güell.

If the AI knew more about your interests or personal information, it may have suggested different sights. Say, you love football or are travelling with young children or dislike crowds.

Users who like this may opt-in and maybe improve their experience with the AI. Whether that is also giving Microsoft more information and also better options to display targeted ads should be clear from the previous paragraphs.

Closing Words

Browsing data is valuable and it should be protected. Not everything is opt-in in today’s world and that is a problem. An upcoming tutorial will provide guidance on protecting browsing data.

What about you? Do you allow services to use your browsing data?

Password Managers that restrict passwords should not exist

Posted on October 21, 2023October 21, 2023 by Martin Brinkmann

Password service Dashlane announced restrictions for free account users this week that limit passwords to 25. Starting November 7, 2023, all Dashlane Free users are restricted to 25 passwords instead of unlimited passwords, the previous limit.

Those with more than 25 passwords keep access to them but they face the same restrictions in regards to adding new passwords. In short: once the 25 passwords limit is reached or crossed, new passwords can only be added if enough old passwords are deleted. Dashlane will also limit support access to paying customers.

The company explains that it made the decision to “focus resources on providing the highest level of service, support, and security”. This is marketing speak.

Dashlane Free remains a product, which means that it requires development resources. Limiting passwords won’t change that. This leaves pushing Free users to paid plans by artificially worsening the experience for many of them as a plausible reason.

Restricting passwords is not right

Dashlane Free users could and can store as many passwords as they want using the password manager. This won’t change until November 7, 2023.

The new artificial limit puts many Free users in a precarious position. Those with more than 25 stored passwords can’t continue using the service, as new passwords need to be stored eventually. They have just a few options:

Delete passwords regularly to stay under the 25 passwords limit.
Upgrade to a paid account and give in to Dashlane’s pressuring.
Migrate to another password manager.

The first option is only feasible for users who don’t have many passwords in Dashlane. Upgrading is the quickest option to deal with the issue, but it also means paying for the password manager.

Migration is another option. Dashlane supports exporting all passwords to CSV files, which most password managers can import.

Password storage is a core feature of every password manager. Restricting the feature limits the password manager significantly. With the artificial limit in place, what is keeping Dashlane from introducing another restriction in the future that limits password storage even further or ends Dashlane Free altogether?

A short term boost to subscriptions

Dashlane will likely notice a short term boost to subscriptions. As users hit the new limit in November, part of the affected group will sign-up for a paid account, especially since a discount is offered.

Others will migrate to a different password manager. Plenty are also free and most do not limit password storage.

My recommendation is Bitwarden. It is open source, does not restrict passwords and is considered one of the best password managers out there. If you don’t need cloud syncing, you could also check out KeePass, another excellent password manager.

Dashlane sign-ups will slow down after the change lands. Users who look for a password manager may not pick the one that is limiting a core feature of a password manager. Less Free signups will also lead to less free to paid upgrades, as fewer users may choose that path. This will impact revenue.

Closing Words

Dashlane could have selected a different path. It could make old user accounts grandfathered accounts. This would have allowed existing free users to continue using the password service as well, at least in regards to passwords storage. This, on the other hand, would not have pushed sales as much, as only new users would be subject to the passwords limit.

It remains to be seen if Dashlane is going to reverse the limit eventually. This is not totally out of the question.

This uBlock Origin filter blocks IDN attacks in browsers

Posted on October 20, 2023October 20, 2023 by Martin Brinkmann

IDN attacks are a common threat on today’s Internet. IDN stands for Internationalized Domain Name. It refers to domain names that contain one or multiple characters in “non-Latin script or alphabet, or in the Latin alphabet-based characters with diacritics or ligatures”.

This enables support for domain names in all languages. German-speaking organizations and users may for instance use the letter Ö in domain names.

One problem associated with this is that it is sometimes impossible for users to distinguish between different characters. The Latin letters e and a, for instance, look identical to the Cyrillic letters e and a. The strings ghacks and ghаcks are not identical, for example, even though they are not distinguishable from just looking at them.

IDN homograph attacks

IDN homograph attacks take advantage of this. Threat actors create domain names that look like a legitimate domain. Links are then pushed via online advertising, comments, chats, email or other forms of communication.

Ars Technica published a story just yesterday about an online ad on Google Search that impersonated the official KeePass website. A search for KeePass listed a sponsored result at the top. This sponsored result pointed to the same domain as the legitimate KeePass website, at least on visual inspection.

It is not uncommon for organizations to place ads for key search terms, even if their domain is the first organic result.

In this particular case, it turned out that the sponsored ad was malicious. It used an IDN to look like the official KeePass website. The fake site pushed a malware family known as FakeBat according to Ars Technica’s research.

Protection against IDN attacks

Ars Technica writer Dan Goodin concluded that there is no 100% protection against IDN attacks. All major browsers load IDN URLs without issues.

Chromium-based browsers copy the punycode version of the domain, which offers a quick way to find out if it is an IDN.

Raymond Hill, creator of uBlock Origin, disagreed with Goodin’s conclusion as well. He published a single filter line for use in uBlock Origin, which blocks access to all IDN URLs by default. Users still have the option to proceed and to add an exception for the site, if it is legitimate.

Here is a step-by-step guide to add the filter to uBlock Origin:

Open the web browser.
Activate the uBlock Origin icon and select Settings.
Switch to the My Filters tab.
Paste the following string into an empy line: ||xn--$doc,frame
Select Apply changes.

That’s all there is to it. Any attempt to load an IDN in the browser is now met with uBlock Origin’s “blocked” window.