On 4/23/20 6:20 PM, William Herrin wrote:
If you want an actual verifiable current day problem which is a clear and present danger, you should be running as fast as you can to retrofit every piece of web technology with webauthn to get rid of over the wire passwords.
I think I posted about this before and got a collective ho-hum. Yeah, it came up last week on an ARIN group and I called it "flavor of
On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike@mtcc.com> wrote: the month." It does some interesting things on a strictly technical level but it's a solution in search of a problem. You're not at significant risk that your password will be captured from inside an encrypted channel and that's all webauthn adds to other widely deployed technologies that also haven't caught on.
PS: you clearly lack imagination. password reuse is the default. $SHINYNEWSITE has only to entice you to enter your reused password which comes out in the clear on the other side of that TLS connection. basically password phishing. you can whine all you like about how stupid they are, but you know what... that is what they average person does. that is reality. js exploits do not hold a candle to that problem. Mike