(blog.singleton.io)

274 points alexmolas | 1 comments | 26 Jul 24 19:20 UTC | HN request time: 0s | source

Show context

guenthert ◴[27 Jul 24 07:31 UTC] No.41085020[source]▶

> To add the secret to the watchface code, you need to convert it to hexadecimal bytes. This cryptii.com page will allow you to do that conversion. Note you’ll have to enter your TOTP secret in uppercase.

I wouldn't be comfortable entering my TOTP secret into a random web page. In Linux (Ubuntu here, probably other distributions as well) you might have the `base32` and `od` tools already installed (package 'coreutils').

Otherwise the project is awesome (just the watch is fugly :))

replies(4): >>41085069 #>>41085463 #>>41087879 #>>41088189 #

alright2565 ◴[27 Jul 24 17:02 UTC] No.41087879[source]▶

>>41085020 #

This is why I keep uMatrix around still

https://i.imgur.com/9MYqLvj.png

I can quickly disable XHR to confirm websites don't do anything server-side when I don't expect them to.

replies(1): >>41088028 #

BHSPitMonkey ◴[27 Jul 24 17:27 UTC] No.41088028[source]▶

>>41087879 #

You'd really need to block fetch(), websockets, WebRTC, all external images/stylesheets/scripts added to the DOM later, and service workers (to prevent the upload from just being deferred). It's not easy to make sure a web page can't phone home.

replies(2): >>41089617 #>>41090755 #

1. KTibow ◴[27 Jul 24 21:58 UTC] No.41089617{3}[source]▶

>>41088028 #

Throttling inside of Devtools should do all of those.

↑

TOTP tokens on my wrist with the smartest dumb watch