Re: mail admins?

[William Herrin <bill () herrin us>]

On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike () mtcc com> wrote:
> If you want an actual verifiable current day problem which is a clear
> and present danger, you should be running as fast as you can to retrofit
> every piece of web technology with webauthn to get rid of over the wire
> passwords.
>
> I think I posted about this before and got a collective ho-hum.

Yeah, it came up last week on an ARIN group and I called it "flavor of
the month." It does some interesting things on a strictly technical
level but it's a solution in search of a problem. You're not at
significant risk that your password will be captured from inside an
encrypted channel and that's all webauthn adds to other widely
deployed technologies that also haven't caught on.


> that is infinitely more serious than some age-old js
> breaches. and it is especially critical for the equipment that nanog
> members run every day to configure, monitor, and manage. Ironically, it
> requires... javascript browser-side.

You think sending encrypted passwords over the wire is more of a
problem than intentionally allowing untrusted code to run on the same
machine that contains personally sensitive information? Really? Do you
understand that when malicious code gains a sufficient foothold on
your computer, webauthn protects exactly squat?

Regards,
Bill Herrin



--
William Herrin
bill () herrin us
https://bill.herrin.us/