polonus
4821
Do not think you are safe using a tor browser! You can get malware infested by a certificate pinned altered NoScript extension for instance, because Mozilla can not protect you against such an attack: https://medium.com/@movrcx/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95
Again a user is helpless against a direct attack from a party with enough resources (Spooks, spies whether corporational or government related - does not matter). Could it be your surveilling government organization this time - NSA, CIA, FBI or one of their global counterparts?
So refrain from sharing with the Internet that what you do not want to share with others. We have arrived in a situation where we can trust no one with our private digital information. It is all a question of trust and do you know who you can trust with your e2e encrypted info and where it lands eventually?
If you do not hide my warnings, youâd only have yourself to blame.
Three instances where we saw SSL security crumbling
Consider how three recent examples involving sub-CAs being used to produce phony certificates show that the classical root certificate authority-based trust model is breaking down:
Trustwave. In 2012, Trustwave issued a sub-CA to a private organization [2]. This sub-CA was to be loaded into a device performing a man-in-the-middle attack, and its sole purpose was to allow that device to generate trusted certificates for arbitrary domains, allowing interception against all devices on the network. This approach avoided the need to install a custom root certificate across all device, and also prevented certificate warnings, by chaining the phony certificates to Trustwave.
TURKTRUST. In 2013, a sub-CA issued by TURKTRUST, a root certificate authority based in Turkey, issued a phony certificate for the google.com domain. The certificate pinning capabilities added to Chrome by Google detected this certificate in the wild [4].
ANSSI. Also in 2013, ANSSI, a root certificate authority controlled by the French government, issued a sub-CA to the French treasury department, IGC/A, and IGC/A in turn used the sub-CA to intercept and monitor employee web traffic [15].
quote taken from source article: case study fighting back against SSL Inspection, conducted by Jacob Thompson and directed by Stephen Bono.
polonus (volunteer website security analyst and website eror-hunter)
bob3160
4822
âWe have arrived in a situation where we can trust no one with our private digital information. It is all a question of trust and do you know who you can trust with your e2e encrypted info and where it lands eventually?â
We have been at this juncture for many years but no one believed those of us preaching this fact.
There were always those that thought that with enough encryption and the use of back doors, they still had an assurance of privacy.
Maybe now itâs finally starting to sink in. Privacy on the internet is dead
Pondus
4823
BeSecure
4824
BeSecure
4825
Asyn
4826
BeSecure
4827
BeSecure
4828
polonus
4829
Paying attention to these threats for years now at the âvirus and wormsâ,
now also mentioned here:
https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html
7000 WP sites hacked lately.
PDF report available from link given,
polonus (volunteer website security analyst and website error-hunter)
Pondus
4830
Pondus
4831
BeSecure
4832
Asyn
4833
Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004
https://www.drupal.org/SA-CORE-2016-004
Asyn
4834
BeSecure
4835
DavidR
4837
The problem being this is from 2014 - so that horse has bolted long ago - if your data got stolen then itâs probably a little late.
polonus
4838
Research: AV vendorâs privacy policy:
https://www.av-test.org/en/news/news-single-view/data-protection-or-virus-protection/
All AV vendors share your data with third parties.
If its free, you are the product.
If it aint free you are still the product anyway!!
polonus
BeSecure
4839
What about Avast!?@polonus 
polonus
4840
They have an Avast Free Privacy Policy and a VPN Privacy Policy: they share a lot of things: https://www.reddit.com/r/technology/comments/3lass7/avasts_privacy_policy_also_states_that_they_share/
Main and solely third partner = Google (Google Tag Manager) - they say they only use your private data statistically, but as Google has acces and on android Google Admob, it is out of sight and Google can sit on it and sell it or turn it over to surveillance if requested and under gag-order),
pol
