nanog mailing list archives
Re: gmail security is a joke
From: Mark Andrews <marka () isc org>
Date: Wed, 27 May 2015 10:36:34 +1000
In message <20150526161151.GA14841 () pob ytti fi>, Saku Ytti writes:
On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey,I think opt-out of password recovery choices on a line-item basis is not abad concept. This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service.OTOH, recovery by receiving a token at a previously registered alternate e mail address seems relatively secure to me and I wouldn???t want to opt out of that.It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email.
Which is easily prevented by authenticating the MX when connecting. Something which as been recommended practice for as long as SMTP has existed. HELO provided weak authentication. We now know and documented how to do this securely on a global scale, we just need to do it. See draft-ietf-dane-smtp-with-dane. You have added the TLSA records for you MTA and signed your zones? You have updated your MTA to support DANE? [ Need to nag ops to add TLSA records for the MX's. We have them for www.isc.org. ] Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke Peter Beckman (May 27)
- RE: gmail security is a joke John Souvestre (May 27)
- Re: gmail security is a joke Jimmy Hess (May 27)
- Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
- Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)
- Re: Password storage (was Re: gmail security is a joke) shawn wilson (May 28)
- Re: Password storage (was Re: gmail security is a joke) Michael Thomas (May 28)
- Re: gmail security is a joke Saku Ytti (May 26)
- Re: gmail security is a joke Valdis . Kletnieks (May 26)
- Re: gmail security is a joke Christopher Morrow (May 26)
- Re: gmail security is a joke Mark Andrews (May 26)
- Re: gmail security is a joke Owen DeLong (May 27)
- Re: gmail security is a joke Joe Abley (May 27)
- Re: gmail security is a joke Saku Ytti (May 27)
- Re: gmail security is a joke Joel Maslak (May 27)
- Re: gmail security is a joke Rafael Possamai (May 27)
- Re: gmail security is a joke Jimmy Hess (May 29)
- Re: gmail security is a joke Valdis . Kletnieks (May 27)
- Re: gmail security is a joke Octavio Alvarez (May 28)
- Re: gmail security is a joke Blair Trosper (May 28)
- Re: gmail security is a joke William Herrin (May 28)