nanog mailing list archives
Re: mail admins?
From: Raymond Burkholder <ray () oneunified net>
Date: Thu, 23 Apr 2020 20:57:22 -0600
On 2020-04-23 7:31 p.m., Michael Thomas wrote:
On 4/23/20 6:20 PM, William Herrin wrote:Passwords over the wire are the *key* problem of computer security. Nothing else even comes close. One only needs to look at the LinkedIn salting problem to know how trivial it is to exploit password reuse. They are a big company and they still absolutely failed. There are a trillion smaller sites who are just as vulnerable, and all it takes is one.On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike () mtcc com> wrote:You think sending encrypted passwords over the wire is more of a problem than intentionally allowing untrusted code to run on the same machine that contains personally sensitive information? Really? Do you understand that when malicious code gains a sufficient foothold on your computer, webauthn protects exactly squat?Um, they are not encrypted. The are plain text after TLS unencrypts them. That is their Achilles Heal.
The ironic catch 22 is that libsodium.js runs in the browser to encrypt the passwords before being sent over the wire. But happens to be javascript.
Current thread:
- Re: mail admins?, (continued)
- Re: mail admins? William Herrin (Apr 23)
- Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? William Herrin (Apr 23)
- Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? Matt Palmer (Apr 23)
- Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? Matt Palmer (Apr 23)
- Re: mail admins? Michael Thomas (Apr 24)
- Re: mail admins? Bryan Holloway (Apr 24)
- Re: mail admins? Michael Thomas (Apr 24)
- Re: mail admins? William Herrin (Apr 23)
- Re: mail admins? Raymond Burkholder (Apr 23)
- Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? Rich Kulawiec (Apr 26)
- Re: mail admins? Michael Thomas (Apr 26)
- Re: mail admins? Matt Palmer (Apr 26)
- Re: mail admins? Michael Thomas (Apr 26)
- Re: mail admins? Matt Palmer (Apr 26)
- Re: mail admins? Michael Thomas (Apr 27)
- Re: mail admins? William Herrin (Apr 27)
- Re: mail admins? Michael Thomas (Apr 27)