[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
mail admins?
- Subject: mail admins?
- From: mike at mtcc.com (Michael Thomas)
- Date: Thu, 23 Apr 2020 19:56:30 -0700
- In-reply-to: <CAP-guGWo=cDeVfoAwBnL9u=ZXxObZMpcaQoODu3a=qLXPoQDZA@mail.gmail.com>
- References: <[email protected]> <CAP-guGUUXo8oJonyDgMKJ6xAcSf2k=mnK-eshH0SRS9PkYSPzg@mail.gmail.com> <[email protected]> <CAP-guGWo=cDeVfoAwBnL9u=ZXxObZMpcaQoODu3a=qLXPoQDZA@mail.gmail.com>
On 4/23/20 6:20 PM, William Herrin wrote:
> On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike at mtcc.com> wrote:
>> If you want an actual verifiable current day problem which is a clear
>> and present danger, you should be running as fast as you can to retrofit
>> every piece of web technology with webauthn to get rid of over the wire
>> passwords.
>>
>> I think I posted about this before and got a collective ho-hum.
> Yeah, it came up last week on an ARIN group and I called it "flavor of
> the month." It does some interesting things on a strictly technical
> level but it's a solution in search of a problem. You're not at
> significant risk that your password will be captured from inside an
> encrypted channel and that's all webauthn adds to other widely
> deployed technologies that also haven't caught on.
>
PS: you clearly lack imagination. password reuse is the default.
$SHINYNEWSITE has only to entice you to enter your reused password which
comes out in the clear on the other side of that TLS connection.Â
basically password phishing. you can whine all you like about how stupid
they are, but you know what... that is what they average person does.
that is reality. js exploits do not hold a candle to that problem.
Mike