On 2020-04-23 7:31 p.m., Michael Thomas wrote:
On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike@mtcc.com> wrote: Passwords over the wire are the *key* problem of computer security. Nothing else even comes close. One only needs to look at the LinkedIn salting problem to know how trivial it is to exploit password reuse. They are a big company and they still absolutely failed. There are a
On 4/23/20 6:20 PM, William Herrin wrote: trillion smaller sites who are just as vulnerable, and all it takes is one.
You think sending encrypted passwords over the wire is more of a problem than intentionally allowing untrusted code to run on the same machine that contains personally sensitive information? Really? Do you understand that when malicious code gains a sufficient foothold on your computer, webauthn protects exactly squat?
Um, they are not encrypted. The are plain text after TLS unencrypts them. That is their Achilles Heal.
The ironic catch 22 is that libsodium.js runs in the browser to encrypt the passwords before being sent over the wire. But happens to be javascript.