[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

Subject: mail admins?
From: bill at herrin.us (William Herrin)
Date: Mon, 27 Apr 2020 08:35:28 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <CAP-guGUUXo8oJonyDgMKJ6xAcSf2k=mnK-eshH0SRS9PkYSPzg@mail.gmail.com> <[email protected]> <CAP-guGWo=cDeVfoAwBnL9u=ZXxObZMpcaQoODu3a=qLXPoQDZA@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas <mike at mtcc.com> wrote:
> On 4/26/20 8:39 PM, Matt Palmer wrote:
> > On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
> >> Which exactly zero deployment. And you need to store the plain-text password
> >> on the server side. What could possibly go wrong?
> > But you said that *passwords on the wire* were the biggest problem.  Digest
> > auth solves that.  Also, you don't have to store the plain-text password.

Correct. You need only store the realm/user/password digest. The chief
problem with digest authentication is that the web site has no control
over the UI. Among the many issues, this makes it tricky to reliably
capture a digest in the first place without the server at least
briefly knowing the password. I don't know if webauthn corrects this
or makes similar blunders.

> You clearly know everything, while Steven, Paul, myself and the
> collective wisdom of w3c know nothing, so I'm out.

Respectfully, if you didn't know that http digest authentication
doesn't require server-side password storage, and more importantly
don't simply admit it now that you've been informed, how trustworthy
can your understanding of web authentication be?

I can't speak to Steven, Paul, the w3c or any other non-posters to
this thread that you wish to employ in an appeal to authority fallacy
but with due respect, I think you hold a myopic view of network
security. For better or worse, security is a zero-sum game. The budget
stays proportional to the value of the asset being protected. When you
spend it on low-impact improvements you don't have it for the many
improvements with a higher impact than whether a web site knows the
password you chose for that web site.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

Follow-Ups:
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)

References:
- mail admins?
  - From: surfer at mauigateway.com (Scott Weeks)
- mail admins?
  - From: bill at herrin.us (William Herrin)
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)
- mail admins?
  - From: bill at herrin.us (William Herrin)
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)
- mail admins?
  - From: rsk at gsp.org (Rich Kulawiec)
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)
- mail admins?
  - From: mpalmer at hezmatt.org (Matt Palmer)
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)
- mail admins?
  - From: mpalmer at hezmatt.org (Matt Palmer)
- mail admins?
  - From: mike at mtcc.com (Michael Thomas)

Prev by Date: Phishing and telemarketing telephone calls
Next by Date: Phishing and telemarketing telephone calls
Previous by thread: mail admins?
Next by thread: mail admins?
Index(es):
- Date
- Thread