nanog mailing list archives

Re: mail admins?

From: Michael Thomas <mike () mtcc com>
Date: Thu, 23 Apr 2020 18:31:04 -0700


On 4/23/20 6:20 PM, William Herrin wrote:

On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike () mtcc com> wrote:

If you want an actual verifiable current day problem which is a clear
and present danger, you should be running as fast as you can to retrofit
every piece of web technology with webauthn to get rid of over the wire
passwords.

I think I posted about this before and got a collective ho-hum.

Yeah, it came up last week on an ARIN group and I called it "flavor of
the month." It does some interesting things on a strictly technical
level but it's a solution in search of a problem. You're not at
significant risk that your password will be captured from inside an
encrypted channel and that's all webauthn adds to other widely
deployed technologies that also haven't caught on.

Passwords over the wire are the *key* problem of computer security.Nothing else even comes close. One only needs to look at the LinkedInsalting problem to know how trivial it is to exploit password reuse.They are a big company and they still absolutely failed. There are atrillion smaller sites who are just as vulnerable, and all it takes is one.

that is infinitely more serious than some age-old js
breaches. and it is especially critical for the equipment that nanog
members run every day to configure, monitor, and manage. Ironically, it
requires... javascript browser-side.

You think sending encrypted passwords over the wire is more of a
problem than intentionally allowing untrusted code to run on the same
machine that contains personally sensitive information? Really? Do you
understand that when malicious code gains a sufficient foothold on
your computer, webauthn protects exactly squat?

Um, they are not encrypted. The are plain text after TLS unencryptsthem. That is their Achilles Heal.

Yes, that is way more of a problem than code running in a sandbox. Theone -- mischief. The other -- buh-bye retirement savings.


Please, get a clue.

Mike

Current thread:

Re: mail admins?, (continued)
- - - Re: mail admins? Matt Palmer (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? Scott Weeks (Apr 23)
  - Re: mail admins? Michael Thomas (Apr 23)
- Re: mail admins? Scott Weeks (Apr 23)
  - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Matt Palmer (Apr 23)
  - Re: mail admins? William Herrin (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? William Herrin (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Matt Palmer (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Matt Palmer (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 24)
    - Re: mail admins? Bryan Holloway (Apr 24)
    - Re: mail admins? Michael Thomas (Apr 24)
    - Re: mail admins? Raymond Burkholder (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Rich Kulawiec (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 26)

(Thread continues...)