Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/beerisgood/security-link-collection

a collection of links on various security topics
https://github.com/beerisgood/security-link-collection
badness-enumeration facts insecurity privacy real-talk security
Last synced: 26 days ago
JSON representation
a collection of links on various security topics
Host: GitHub
URL: https://github.com/beerisgood/security-link-collection
Owner: beerisgood
Created: 2021-09-04T21:58:33.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2025-01-11T17:24:31.000Z (about 1 month ago)
Last Synced: 2025-01-11T17:30:50.124Z (about 1 month ago)
Topics: badness-enumeration, facts, insecurity, privacy, real-talk, security
Homepage:
Size: 118 KB
Stars: 44
Watchers: 7
Forks: 7
Open Issues: 1
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project

README

        ### This list is constantly being expanded

![GitHub last commit](https://img.shields.io/github/last-commit/beerisgood/Security-link-collection?label=last%20update%3A&style=flat-square)

* Password Manager: Tavis Ormandy's opinion on [Password Managers](https://lock.cmpxchg8b.com/passmgrs.html), also [fatal flaws](https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers) in deterministic password managers. [How](https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/) did LastPass master passwords get compromised, [how](https://www.malwarebytes.com/blog/news/2022/08/source-code-of-password-manager-lastpass-stolen-by-attacker) their source code was stolen, how password vaults were [obtained](https://palant.info/2022/12/23/lastpass-has-been-breached-what-now/) and even a year after the disastrous breach, [LastPass has not improved](https://palant.info/2023/09/05/a-year-after-the-disastrous-breach-lastpass-has-not-improved/). Bitwarden [design flaw](https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/): Server side iterations. (In)Security of the Unix "[Pass](https://rot256.dev/post/pass/)" password manager. KeePass's InSecurity [against local attackers](https://www.cve.org/CVERecord?id=CVE-2023-24055), A Case Study in Attacking KeePass Part [1](https://blog.harmj0y.net/redteaming/a-case-study-in-attacking-keepass/), [2](https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/)

* Networking 101 [YouTube](https://www.youtube.com/playlist?list=PLR0bgGon_WTKY2irHaG_lNRZTrA7gAaCj)

* The Six [Dumbest Ideas](https://www.ranum.com/security/computer_security/editorials/dumb/index.html) in Computer Security

* [How](https://www.grc.com/dns/dns.htm) [*to*](https://www.dnsleaktest.com) [test](https://bash.ws/dnsleak/) [*your*](https://dnscheck.tools/) [DNS](https://cmdns.dev.dns-oarc.net) (security & privacy)

* [How](https://www.ssllabs.com/ssltest/analyze.html) [*to*](https://www.virustotal.com/gui/home/url) [test](https://webbkoll.dataskydd.net/) website (security, privacy & [cookies](https://2gdpr.com)) 

* [How](https://mecsa.jrc.ec.europa.eu/) [*to*](https://internet.nl/test-mail/) [test](https://ssl-tools.net/mailservers) [*your*](https://www.emailprivacytester.com/) eMail provider (security & privacy)

* Why the FBI [can’t get](https://blog.cryptographyengineering.com/2021/03/25/whats-in-your-browser-backup/) your browsing history from Apple iCloud (and other scary stories)

* Why GPG/ (Open-)PGP [isn't](https://archive.is/K1eZz) [*recommend*](https://web.archive.org/web/20230601224637/https://twitter.com/DanielMicay/status/1145264664315604992) and what the numerous [*problems*](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) [are](https://www.kicksecure.com/wiki/OpenPGP#Issues_with_PGP)

* Check [if](https://sec.hpi.de/ilc/?lang=en) your [email/ phone number](https://haveibeenpwned.com/) or [password](https://haveibeenpwned.com/Passwords) is in a data breach

* Understand the [security](https://courses.csail.mit.edu/6.857/2016/files/24.pdf) [*risks*](https://support.google.com/chrome/a/answer/9897812) of permissions for browser extensions and why even manifest v3 does not protect you [sufficiently](https://mattfrisbie.substack.com/p/spy-chrome-extension) against abusing

* [Some](https://palant.info/2021/09/28/breaking-custom-cursor-to-p0wn-the-web/) [*examples*](https://palant.info/2021/08/02/data-exfiltration-in-keepa-price-tracker/) [why](https://palant.info/2021/06/28/having-fun-with-css-injection-in-a-browser-extension/) [*browser*](https://palant.info/2021/05/04/universal-xss-in-ninja-cookie-extension/) [extensions](https://palant.info/2021/04/13/print-friendly-pdf-full-compromise/) [*are*](https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/) [bad](https://palant.info/2020/02/25/mcafee-webadvisor-from-xss-in-a-sandboxed-browser-extension-to-administrator-privileges/), [scams users](https://youtu.be/vc4yL3YTwWk) - since at least [2015](https://security.googleblog.com/2015/03/out-with-unwanted-ad-injectors.html) [*until*](https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/) [today](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) - even big ones [like](https://palant.info/2022/03/14/party-time-injecting-code-into-teleparty-extension/) [*Skype*](https://palant.info/2022/03/01/skype-extension-all-functionality-broken-still-exploitable/) or [Adobe](https://palant.info/2022/04/19/adobe-acrobat-hollowing-out-same-origin-policy/) and how they make your fingerprint [unique](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_extensions) or [bypass](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/) your 2FA and Chrome extensions can [steal](https://arxiv.org/pdf/2308.16321.pdf) your passwords from websites and [they're](https://www.bleepingcomputer.com/news/security/malicious-browser-extensions-are-the-next-frontier-for-identity-attacks/) the next frontier for Identity Attacks

* [read](https://madaidans-insecurities.github.io/linux.html) [*what*](https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172/2) [countless](https://www.reddit.com/r/GrapheneOS/comments/bj1gpz/syzbot_and_the_tale_of_thousand_kernel_bugs/) [*security*](https://forums.grsecurity.net/viewtopic.php?f=7&t=4309) [experts](https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html) and [Washington Post](https://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/) [*have*](https://slo-tech.com/clanki/10001en/) [to](https://www.youtube.com/watch?v=LqaWIn4y26E) [*say*](https://www.youtube.com/watch?v=BVOCYFTC_rQ) [about](https://grsecurity.net/~spender/interview_notes.txt) [*linux*](https://jenda.hrach.eu/w/linux-insecurity) [insecurity](https://web.archive.org/web/20210404210717/https://dnetc.net/are-the-bsd-dying/)/ [*Security Circus*](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), [hacks](https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/), [*dangerous*](https://bitsex.net/english/2021/kodachi-linux-is-probably-not-secure/) configurations and [All](https://ciq.com/whitepaper/vendor-kernels-bugs-stability/) vendor kernels are plagued with security vulnerabilities (encryption is [also broken](https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html))

* Some [Thoughts](https://qua3k.github.io/pegasus/) about the NSO Group's Pegasus

* [An](https://web.archive.org/web/20211009210153/https://twitter.com/ZanthedNT/status/1446943944261128192) [*Antivirus*](https://archive.is/pyY3l) [does](https://archive.is/bxpzf) [*not*](https://archive.is/4WWXD) [improve](https://archive.is/7aKME) [*your*](https://archive.is/cwxDK) [security](https://privsec.dev/knowledge/badness-enumeration/#antiviruses) and even collect and [sell](https://www.bleepingcomputer.com/news/security/ftc-to-ban-avast-from-selling-browsing-data-for-advertising-purposes/) your data or [force-install](https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/) unwanted crap

* [Enumerating](https://lwn.net/Articles/293034/) badness

* (Electron; nodejs) [Applications](https://github.com/sickcodes/no-sandbox) that run Chromium without the Sandbox

* [test](https://isbgpsafeyet.com/) your ISP (Internet Service Provider) Border Gateway Protocol (BGP) security

* Stop using (encrypted) [Email](https://latacora.singles/2020/02/19/stop-using-encrypted.html)

* FLOSS [doesn't](https://seirdy.one/2022/02/02/floss-security.html) imply security

* Email Security [Pitfalls](https://web.archive.org/web/20230601105530/https://improsec.com/tech-blog/email-security-pitfalls)

* End-to-End Encryption in [Web Apps](https://cronokirby.com/posts/2021/06/e2e_in_the_browser/)

* Docker - the [security nightmare](https://wonderfall.dev/docker-hardening/#is-it-really-a-security-nightmare) of [dependencies](https://wonderfall.dev/docker-hardening/#the-nightmare-of-dependencies) and [hidden place](https://community.atlassian.com/t5/Trust-Security-articles/Hiding-malware-in-Docker-Desktop-s-virtual-machine/ba-p/1924743) for malware, [exposed](https://arxiv.org/pdf/2307.03958.pdf) secrets and private keys and also with "Hub" a place for [millions of malicious repositories](https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/)

* SIM Card [Hijacking](https://www.maketecheasier.com/sim-card-hijacking/): How it works and what you can do about it

* [SS7](https://secure-voice.com/ss7_attacks/) Attacks: Intercepting SMS and calls as easy as ABC

* Messenger (problems): [Whatsapp's Backups](https://sudneela.github.io/posts/the-workings-of-whatsapps-end-to-end-encrypted-backups/), [Signal's Sealed Sender](https://www.ndss-symposium.org/ndss-paper/improving-signals-sealed-sender/) and [downplayed](https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/) encryption key flaw, [Telegram](https://portswigger.net/daily-swig/multiple-encryption-flaws-uncovered-in-telegram-messaging-protocol)'s [*Cryptanalysis*](https://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest) and [very](https://words.filippo.io/dispatches/telegram-ecdh/) old [InSecurity](https://blog.bytebytego.com/p/ep29-online-gaming-protocol#§is-telegram-secure), Three Lessons from [Threema](https://breakingthe3ma.app/), [Converso - how to uncover extraordinary claims](https://crnkovic.dev/testing-converso/), Tox handshake [vulnerablity](https://blog.tox.chat/2023/03/redesign-of-toxs-cryptographic-handshake/), [Ginlo](https://lets.re/blog/ginlo/), [Collaborative Groups](https://lets.re/blog/roll-your-own-e2ee-protocol/), [KakaoTalk](https://stulle123.github.io/posts/kakaotalk/secret-chat/) , [Session](https://soatok.blog/2025/01/14/dont-use-session-signal-fork/)

* Browser Insecurity: [Pale Moon](https://seirdy.one/notes/2022/06/01/pale-moon/), [ungoogled-Chromium](https://qua3k.github.io/ungoogled/), [Brave](https://www.spacebar.news/p/stop-using-brave-browser), [Avast Browser](https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/), [Arc Browser](https://kibty.town/blog/arc/)

* [SMS phishing](https://www.bejarano.io/sms-phishing/) is way too easy

* [Why](https://gergelykalman.com/why-you-shouldnt-use-a-commercial-vpn-amateur-hour-with-windscribe.html) you [shouldn't](https://gist.github.com/joepie91/5a9909939e6ce7d09e29) [*use*](https://superuser.com/a/926524) VPN [services](https://educatedguesswork.org/posts/public-wifi/) with their [leaks](https://www.leviathansecurity.com/blog/tunnelvision). If needed, use [MPRs](https://invisv.com/articles/relay.html)

* [avoid](https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/) Electron [*based*](https://web.archive.org/web/20220816044304/https://www.malwarebytes.com/blog/news/2022/08/a-vulnerability-was-found-in-electron-which-is-what-drives-discord-spotify-and-microsoft-teams) [programs](https://blog.doyensec.com/2022/09/27/electron-api-default-permissions.html)

* [Matrix](https://archive.is/bPrxT) [*InSecurity*](https://archive.is/lqtLl), [concerns](https://anarc.at/blog/2022-06-17-matrix-notes/) and big [potential metadata issues](https://blog.erethon.com/blog/2023/06/21/what-happens-when-a-matrix-server-disappears/)

* Phishing [with](https://mrd0x.com/phishing-with-chromium-application-mode/) Chromium's Application Mode

* Browser in the Browser (BITB) [Attack](https://mrd0x.com/browser-in-the-browser-phishing-attack/)

* Chrome Browser Exploitation [Part 1](https://jhalon.github.io/chrome-browser-exploitation-1/)

* [graphics](https://archive.is/432zQ) about [PassKeys](https://www.passkeys.io) in detail, security [overview](https://support.apple.com/102195) and an [overview](https://passkeys.directory) of supporting websites

* What [happens](https://blog.bytebytego.com/i/64353490/how-does-visa-work-when-we-swipe-a-credit-card-at-a-merchants-shop) when you swipe a credit card and what are the [differences](https://blog.bytebytego.com/i/68502474/visa-vs-american-express)

* What are the differences [between](https://www.youtube.com/watch?v=Jz8Gs4UHTO8) bare metal, virtual machines, and containers

* HTTP/1 to HTTP/2 [to](https://www.youtube.com/watch?v=a-sBfyiXysI) HTTP/3 - a [Deep Dive](https://blog.bytebytego.com/p/http1-vs-http2-vs-http3-a-deep-dive)

* The Rising [Threat](https://www.apple.com/newsroom/pdfs/The-Rising-Threat-to-Consumer-Data-in-the-Cloud.pdf) to Consumer Data in the Cloud

* Common [pitfalls](https://palant.info/2022/12/08/common-pitfalls-of-breaking-up-https-connections/) of breaking up HTTPS connections

* (Motherboard vendor) MSI's [(in)Secure](https://dawidpotocki.com/en/2023/01/13/msi-insecure-boot/) Boot

* "Sign in with" [Apple](https://www.apple.com/privacy/docs/Sign_in_with_Apple_White_Paper_Nov_2019.pdf)

* [Building a Trusted Ecosystem](https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps.pdf) for Millions of Apps

* Protecting Chrome Traffic with [Hybrid Kyber KEM](https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html)

* fail2ban [sucks](https://j3s.sh/thought/fail2ban-sux.html), [pfSense](https://www.bleepingcomputer.com/news/security/over-1-450-pfsense-servers-exposed-to-rce-attacks-via-bug-chain/)

* iMessage with [PQ3](https://security.apple.com/blog/imessage-pq3/) post-quantum cryptographic protocol - external security review [1](https://security.apple.com/assets/files/Security_analysis_of_the_iMessage_PQ3_protocol_Stebila.pdf), [2](https://security.apple.com/assets/files/A_Formal_Analysis_of_the_iMessage_PQ3_Messaging_Protocol_Basin_et_al.pdf)

* Security problems with [Routers](https://routersecurity.org/consumerrouters.php) like from [Netgear](https://web.archive.org/web/20240610184918/https://redfoxsec.com/blog/security-advisory-multiple-vulnerabilities-in-netgear-wnr614-router/), [*Netgear 2*](https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-authentication-bypass-xss-router-flaws/), [D-Link](https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-link-dir-859-router-flaw-to-steal-passwords/), [*D-Link 2*](https://www.bleepingcomputer.com/news/security/d-link-fixes-critical-rce-hardcoded-password-flaws-in-wifi-6-routers/), [Asus](https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-remote-authentication-bypass-on-7-routers/) or [DrayTek](https://www.bleepingcomputer.com/news/security/draytek-fixed-critical-flaws-in-over-700-000-exposed-routers/), [TP-Link](https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/)

* [how](https://developer.apple.com/security/complying-with-the-dma.pdf) Apple handle the Digital Markets Act

* Breaking the DECT Standard Cipher [with](https://eprint.iacr.org/2024/404) Lower Time Cost

* IoT Device Security [Specification 1.0](https://csa-iot.org/newsroom/the-connectivity-standards-alliance-product-security-working-group-launches-the-iot-device-security-specification-1-0/)

* Cloud InSecurity: Nextcloud E2EE [broken](https://eprint.iacr.org/2024/546.pdf)

* About Apple threat [notifications](https://support.apple.com/102174) and protecting against mercenary spyware

* WiFi - The [SSID Confusion Attack](https://www.top10vpn.com/research/wifi-vulnerability-ssid/)

* [Leveraging](https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/) DNS Tunneling for Tracking and Scanning

* Security research on Apple's [Private Cloud Compute](https://security.apple.com/blog/pcc-security-research)

* Privacy, Anonymity and Compartmentalization [repository](https://github.com/HotCakeX/Privacy-Anonymity-Compartmentalization)