Proton adds security key support as an additional 2fa option – Computer – News

With TOTP, it is possible to intercept the code using a reverse proxy. This has always been the case and for a long time there have been open source packages that make this fairly easy.

If you set up a reverse proxy on pr0t0nmail.com for example (zeros instead of o), which hooks everything up to the normal domain, you can intercept the code. Or even easier, you don’t even need the code because you can intercept and use the session cookie.
So if you can get someone to go to pr0t0nmail.com with a phishing email, and everything is restricted to the proxy, you are in place because there is no TOTP “check”

Like I said, there were already open source packages available for reverse proxy phishing which makes this fairly easy for the “big players” like Facebook, Office 365, etc. But with enough knowledge, anyone can do this for almost any site using TOTP. But it got worse this year because now there are a number of services where everything is taken care of for you. Phishing as a Service.
Any script kid can do this with little money without knowing how it works. Pay money, register a domain, run a script et voila, a phishing site is complete and up and running with TOTP support (and other OTP mechanisms too, like push notifications on your phone).
Just read this: https://resecurity.com/b…ypass-emerged-in-dark-web
It even needs a video tutorial with the steps for a Microsoft phishing site. The video is 4 minutes long and includes the images that the user (the victim) sees…

U2F/FIDO protects against this because it is a client/server model. When the client (your web browser in this case) talks to pr0t0nmail.com, it doesn’t have a key for that domain, so no authentication can be done. Voila, you don’t have to worry! (Ok, that’s a little, because the phishing site intercepted your password and username. So hopefully your password is unique….)

That’s why I always use my yubikey on any important site and have support for it. And I have my important domains on Protonmail, so I’m using Yubikey there now too. Although it still has TOTP as a backup, it’s still more secure because I only use yubikey, and if that doesn’t work, I know something is going on.

Derek Atkinson

Derek Atkinson

"Web maven. Infuriatingly humble beer geek. Bacon fanatic. Typical creator. Music expert."

Leave a Reply

Your email address will not be published. Required fields are marked *

bunny girls hentai hentaitgp.com hutoshi miyako tomcat
pakistansex vegasmpegs.info pokemon in hindi
النائمة سكس pornhauz.com اللعب فى الكس
regine ogie duet philteleserye.com darren espanto
morganaramirez freesexcams.pro royalgirls_x stripchat
www sexi video hd com chupatube.info femout
gmanetwork com maria clara watchteleserye.com mga kasalanan
punjabi sexi kand japaneseporntrends.com pic pussy
宮野瞳 sakurajav.mobi 深田えいみ 無修正
animal fuck tubenza.mobi sada hot kiss
japanese mom and son xnxx pakistanipornx.net college xnxx
www xxxindan sexkrug.com tamil pengal sex
hindi xxx.com dungtube.info tubexclip
مواقعسكس slutswile.net سكس روسي مترجم
video blue originalhindiporn.mobi indian sex kannada