[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
mail admins?
- Subject: mail admins?
- From: ray at oneunified.net (Raymond Burkholder)
- Date: Thu, 23 Apr 2020 20:57:22 -0600
- In-reply-to: <[email protected]>
- References: <[email protected]> <CAP-guGUUXo8oJonyDgMKJ6xAcSf2k=mnK-eshH0SRS9PkYSPzg@mail.gmail.com> <[email protected]> <CAP-guGWo=cDeVfoAwBnL9u=ZXxObZMpcaQoODu3a=qLXPoQDZA@mail.gmail.com> <[email protected]>
On 2020-04-23 7:31 p.m., Michael Thomas wrote:
> On 4/23/20 6:20 PM, William Herrin wrote:
>> On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike at mtcc.com> wrote:
> Passwords over the wire are the *key* problem of computer security.
> Nothing else even comes close. One only needs to look at the LinkedIn
> salting problem to know how trivial it is to exploit password reuse.
> They are a big company and they still absolutely failed. There are a
> trillion smaller sites who are just as vulnerable, and all it takes is
> one.
>> You think sending encrypted passwords over the wire is more of a
>> problem than intentionally allowing untrusted code to run on the same
>> machine that contains personally sensitive information? Really? Do you
>> understand that when malicious code gains a sufficient foothold on
>> your computer, webauthn protects exactly squat?
>
> Um, they are not encrypted. The are plain text after TLS unencrypts
> them. That is their Achilles Heal.
>
The ironic catch 22 is that libsodium.js runs in the browser to encrypt
the passwords before being sent over the wire. But happens to be
javascript.