On 4/23/20 6:20 PM, William Herrin wrote:
If you want an actual verifiable current day problem which is a clear and present danger, you should be running as fast as you can to retrofit every piece of web technology with webauthn to get rid of over the wire passwords.
I think I posted about this before and got a collective ho-hum. Yeah, it came up last week on an ARIN group and I called it "flavor of
On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike@mtcc.com> wrote: the month." It does some interesting things on a strictly technical level but it's a solution in search of a problem. You're not at significant risk that your password will be captured from inside an encrypted channel and that's all webauthn adds to other widely deployed technologies that also haven't caught on.
Passwords over the wire are the *key* problem of computer security. Nothing else even comes close. One only needs to look at the LinkedIn salting problem to know how trivial it is to exploit password reuse. They are a big company and they still absolutely failed. There are a trillion smaller sites who are just as vulnerable, and all it takes is one.
that is infinitely more serious than some age-old js breaches. and it is especially critical for the equipment that nanog members run every day to configure, monitor, and manage. Ironically, it requires... javascript browser-side. You think sending encrypted passwords over the wire is more of a problem than intentionally allowing untrusted code to run on the same machine that contains personally sensitive information? Really? Do you understand that when malicious code gains a sufficient foothold on your computer, webauthn protects exactly squat?
Um, they are not encrypted. The are plain text after TLS unencrypts them. That is their Achilles Heal. Yes, that is way more of a problem than code running in a sandbox. The one -- mischief. The other -- buh-bye retirement savings. Please, get a clue. Mike