On 4/23/20 6:20 PM, William Herrin wrote:
On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <m...@mtcc.com> wrote:
If you want an actual verifiable current day problem which is a clear
and present danger, you should be running as fast as you can to retrofit
every piece of web technology with webauthn to get rid of over the wire
passwords.
I think I posted about this before and got a collective ho-hum.
Yeah, it came up last week on an ARIN group and I called it "flavor of
the month." It does some interesting things on a strictly technical
level but it's a solution in search of a problem. You're not at
significant risk that your password will be captured from inside an
encrypted channel and that's all webauthn adds to other widely
deployed technologies that also haven't caught on.
Passwords over the wire are the *key* problem of computer security.
Nothing else even comes close. One only needs to look at the LinkedIn
salting problem to know how trivial it is to exploit password reuse.
They are a big company and they still absolutely failed. There are a
trillion smaller sites who are just as vulnerable, and all it takes is one.
that is infinitely more serious than some age-old js
breaches. and it is especially critical for the equipment that nanog
members run every day to configure, monitor, and manage. Ironically, it
requires... javascript browser-side.
You think sending encrypted passwords over the wire is more of a
problem than intentionally allowing untrusted code to run on the same
machine that contains personally sensitive information? Really? Do you
understand that when malicious code gains a sufficient foothold on
your computer, webauthn protects exactly squat?
Um, they are not encrypted. The are plain text after TLS unencrypts
them. That is their Achilles Heal.
Yes, that is way more of a problem than code running in a sandbox. The
one -- mischief. The other -- buh-bye retirement savings.
Please, get a clue.
Mike
