What's the threat model where not storing them all at once provides any benefit? If someone has admin it's already game over. Can just hook the browser to retrieve all passwords on demand.
If passwords are fetched remotely on-demand, you steal the account API key from memory. If they're encrypted, you steal the master password or decryption key. ... So what's your solution?
> What if this is not about closing off an API. Maintaining a stable API is difficult That's why any sane software uses a stable public API and an internal one that can be closed off or has breaking changes all the…
I wouldn't call it more or less secure. You're just on your own and should expect this (internal) API to have breaking changes at any time.
> Right now, the printer's local MQTT server can only be accessed from the local IP using an 8 digit password obtained through through the physical display. The problem is hackers don't need to play by the rules…
Everything was sent in plaintext early on. But since 2022/2023 it's TLS: https://wiki.bambulab.com/en/security-incidents-cloud-traffi...
ppl always get caught up on the x509. They're actually a good thing and are absolutely necessary to prevent mitm since they use self-signed certs. BambuStudio also works that way. The issue is introducing further…
> Username/password over TLS would do that better than what Bambu Lab is proposing Already works that way and isn't affected by this update: https://wiki.bambulab.com/en/security-incidents-cloud-traffi...,…
- what the key is used for: signing critical operations, most notably print and gcode commands: https://git.devminer.xyz/archive/bambu-connect/src/commit/47..., list of known MQTT commands:…
What's the threat model where not storing them all at once provides any benefit? If someone has admin it's already game over. Can just hook the browser to retrieve all passwords on demand.
If passwords are fetched remotely on-demand, you steal the account API key from memory. If they're encrypted, you steal the master password or decryption key. ... So what's your solution?
> What if this is not about closing off an API. Maintaining a stable API is difficult That's why any sane software uses a stable public API and an internal one that can be closed off or has breaking changes all the…
I wouldn't call it more or less secure. You're just on your own and should expect this (internal) API to have breaking changes at any time.
> Right now, the printer's local MQTT server can only be accessed from the local IP using an 8 digit password obtained through through the physical display. The problem is hackers don't need to play by the rules…
Everything was sent in plaintext early on. But since 2022/2023 it's TLS: https://wiki.bambulab.com/en/security-incidents-cloud-traffi...
ppl always get caught up on the x509. They're actually a good thing and are absolutely necessary to prevent mitm since they use self-signed certs. BambuStudio also works that way. The issue is introducing further…
> Username/password over TLS would do that better than what Bambu Lab is proposing Already works that way and isn't affected by this update: https://wiki.bambulab.com/en/security-incidents-cloud-traffi...,…
- what the key is used for: signing critical operations, most notably print and gcode commands: https://git.devminer.xyz/archive/bambu-connect/src/commit/47..., list of known MQTT commands:…