nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmail security is a joke

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 26 May 2015 14:23:05 -0400
On Tue, May 26, 2015 at 2:15 PM,  <Valdis.Kletnieks () vt edu> wrote:

On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said:


OTOH, recovery by receiving a token at a previously registered alternate email address
seems relatively secure to me and I wouldn???t want to opt out of that.


It's probably machine sent in seconds or minute after request, so doing
short-lived BGP hijack of MX might be reasonably easy way to get the email.


To be fair, if your e-mail address is high enough value that somebody is
willing to risk getting caught doing a BGP hijack, maybe you have bigger
problems to worry about.



I suppose the meta of this whole conversation is for the OP:
 "Sure, there are issues with just about every account-recovery setup
out there. Where you have X-hundreds of millions of 'not nanog' level
users interacting and needing passwd recovery to work reliably and
somewhat securely, how would you accomplish this?"

Tossing grenades in the crowded room is cool and all, but ... you
clearly have some thoughts about options/improvements/etc you might
get more useful traction by proposing them.
Previous By Date Next
Previous By Thread Next

Current thread: