I’m still in awe of what’s happening here and wish I had a crystal ball to see the change this type of community will drive in broader social discourse. If that goal is realized, there will be very sophisticated folks looking to disrupt that progress.

As a security guy (especially in light of Reddit’s recent announcement) I had a few questions!

1.) How open are we to integrating some type of optional 2FA for users? Maybe a simple TOTP integration?
2.) Are the admins of the site implementing the right amount of fundamental controls for the backend? I’m 100% happy to provide thoughts on this if necessary! The decisions you make now, could impact us 5-6 years from now. And they’re oh-so-easy to change this early :-D.

I hope I’m posting this in the correct place. I’ve been having a disagreement with someone over the abilities of hackers. I kinda hope Deimorz pops in because he wrote automod.

I said that the only way for someone to gain access to a subreddit to make changes is if they steal a moderator’s account password or they are added to the mod team. The person I’m having a disagreement with believes that adding text to the wiki for users to view (like the extensive wiki r/skincareaddiction has) would make it easier for hackers to insert malicious code in order to gain access to the sub. This person also mentioned being able to change the subreddit through browser tools. She insists the sidebar and wiki are potential access points for scripting attacks. Automod just so happens to be enabled which is why I mentioned Deimorz.

I’m not an IT professional. My brothers currently are which helped me learn most of what I know. I’ve supplemented that over the years with whatever info I came across online. What she’s saying sounds like crazy town to me. But since I’m not a hacker, is there a way to use the sidebar or wiki area to hack into a subreddit?

Thanks in advance to anyone who pities me by providing a detailed answer to this thinly veiled request to help me win an internet argument 🙇🏾‍♀️.

I'm sure as tildes gets bigger, security will continue to be a matter of discussion.

The dev GodEmperors of tildes have (quite awesomely) taken a big position on security already by disallowing breached passwords from being used.

I'm not much of a hacker myself, but it's an armchair interest and I'm sure others more skilled would love to be able to give back to Tildes and help keep the site as secure as possible.

What's the policy on bug hunting, and searching for exploits?

Thanks!

I'm going to college soon, and I'm in the process of straightening out my accounts and login information. What password managers would any of you recommend? I'm looking for something that can be accessed on both desktop (PC) and mobile (Android).

Edit: I have set up KeePass and it looks like a great solution! Thanks for the help.

A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome addition for many people.

I'd also be happy to hear people's thoughts on this an if you guys think the website actually needs this. In my mind more security is always better than less security.

While reading up on what it takes to run this site, it just occurred to me that the site is hosted on one server with one network connection. Adding a CDN or cloud based DDOS protection would run contrary to the "no third party" thing we've got going on here, so that doesn't seem like an option.

So I got to wondering, what would happen if a malicious actor were to sic a botnet on us? I imagine the outcome would not be good. Do we have any strategies to deal with this?

Got this phishing SMSmessage today. I spun up a VM and investigated the domain provided in the message. Found the provider and reported it to them.

The phishing page is a replica Coinbase login page.

https://imgur.com/a/ZSzNKO7

Firefox recently introduced DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) in nightly builds for Firefox 62.

DoH and TRR are intended to help mitigate these potential privacy and security concerns:

1. Untrustworthy DNS resolvers tracking your requests, or tampering with responses from DNS servers.
2. On-path routers tracking or tampering in the same way.
3. DNS servers tracking your DNS requests.

DNS over HTTPs (DoH) encrypts DNS requests and responses, protecting against on-path eavesdropping, tracking, and response tampering.

Trusted Recursive Resolver (TRR) allows Firefox to use a DNS resolver that's different from your machines network settings. You can use any recursive resolver that is compatible with DoH, but it should be a trusted resolver (one that won't sell users’ data or trick users with spoofed DNS). Mozilla is partnering with Cloudflare (but not using the 1.1.1.1 address) as the initial default TRR, however it's possible to use another 3rd party TRR or run your own.

Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.

Additionally, Cloudflare will be doing QNAME minimization where the DNS resolver no longer sends the full original QNAME (foo.bar.baz.example.com) to the upstream name server. Instead it will only include the label for the zone it's trying to resolve.

For example, let's assume the DNS resolver is trying to find foo.bar.baz.example.com, and already knows that ns1.nic.example.com is authoritative for .example.com, but does not know a more specific authoritative name server.

1. It will send the query for just baz.example.com to ns1.nic.example.com which returns the authoritative name server for baz.example.com.
2. The resolver then sends a query for bar.baz.example.com to the nameserver for baz.example.com, and gets a response with the authoritative nameserver for bar.baz.example.com
3. Finally the resolver sends the query for foo.bar.baz.example.com to bar.baz.example.com's nameserver.
   In doing this the full queried name (foo.bar.baz.example.com) is not exposed to intermediate name servers (bar.baz.example.com, baz.example.com, example.com, or even the .com root nameservers)

Collectively DNS over HTTPs (DoH), Trusted Recursive Resolver (TRR), and QNAME Minimization are a step in the right direction, this does not fix DNS related data leaks entirely:

After you do the DNS lookup to find the IP address, you still need to connect to the web server at that address. To do this, you send an initial request. This request includes a server name indication, which says which site on the server you want to connect to. And this request is unencrypted.
That means that your ISP can still figure out which sites you’re visiting, because it’s right there in the server name indication. Plus, the routers that pass that initial request from your browser to the web server can see that info too.

So How do I enable it?
DoH and TRR can be enabled in Firefox 62 or newer by going to about:config:

• Set network.trr.mode to 2
  • Here's the possible network.trr.mode settings:
    • 0 - Off (default): Use standard native resolving only (don't use TRR at all)
    • 1 - Race: Native vs. TRR. Do them both in parallel and go with the one that returns a result first.
    • 2 - First: Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
    • 3 - Only: Only use TRR. Never use the native (after the initial setup).
    • 4 - Shadow: Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
    • 5 - Off by choice: This is the same as 0 but marks it as done by choice and not done by default.
• Set network.trr.uri to your DoH Server:
  • Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query
    (but you can use any DoH compliant endpoint)
• The DNS Tab on about:networking will show which names were resolved using TRR via DoH.

Links:
A cartoon intro to DNS over HTTPS
Improving DNS Privacy in Firefox
DNS Query Name Minimization to Improve Privacy
TRR Preferences

I'm not affiliated with Mozilla or Firefox, I just thought ~ would find this interesting.