> From: David Lang [mailto:da...@lang.hm]
>
> So this requires that every website change their authentication to use
> CBcrypt?
> and that you generate a unique public key pair for each site (otherwise your
> secret key could be used to get you into multiple sites)
Nevermind. You obviously have
DL> Any security improvement that starts with "if all the websites
DL> implement my authentication mechanism" is doomed to failure. You just
DL> aren't going to get everyone to change like that.
I've only been sort of following this thread, but my impression is that
CBcrypt is advantageous to any
On Wed, 30 Apr 2014, Edward Ned Harvey (lopser) wrote:
From: David Lang [mailto:da...@lang.hm]
but what if they use different certs for the different servers?
Like I said. Match the pattern. So if you have a server with cert "foo.example.com,example.com" and another
server with cert "bar.e
On Wed, 30 Apr 2014, Edward Ned Harvey (lopser) wrote:
From: David Lang [mailto:da...@lang.hm]
This is where I disagree. With heartbleed, any single site could be
compromised
just as easily, the only difference is that the password they got would not get
them into any other site.
You are stil
> From: David Lang [mailto:da...@lang.hm]
>
> but what if they use different certs for the different servers?
Like I said. Match the pattern. So if you have a server with cert
"foo.example.com,example.com" and another server with cert
"bar.example.com,example.com" and another with "whiz.examp
> From: David Lang [mailto:da...@lang.hm]
>
> This is where I disagree. With heartbleed, any single site could be
> compromised
> just as easily, the only difference is that the password they got would not
> get
> them into any other site.
You are still missing the point. Suppose you're a serve
On Wed, 30 Apr 2014, Edward Ned Harvey (lopser) wrote:
From: David Lang [mailto:da...@lang.hm]
It's not just that, it's the case where a company has multiple resources for
you
to access (forums, support, mail) that legitimately live on different servers
but share an identity.
Get an SSL cert
> From: David Lang [mailto:da...@lang.hm]
>
> It's not just that, it's the case where a company has multiple resources for
> you
> to access (forums, support, mail) that legitimately live on different servers
> but share an identity.
Get an SSL cert that is valid for
"foo.company.com,bar.company
On Tue, 25 Mar 2014, Edward Ned Harvey (lopser) wrote:
From: Bill Bogstad [mailto:bogs...@pobox.com]
1. If one uses the full hostname for site identification then the
generated key pair for wiki.foo.com would be different then
for forums.foo.com. This seems like it could be annoying depending
> From: Phil Pennock [mailto:lopsa-t...@spodhuis.org]
>
> I could swear that one of the public password management tools already
> supported deterministic side-specific passwords,
The thing is - If you just hash & mix your password and send a generated
site-specific password to the site... Wit
On 2014-03-25 at 19:15 +, Edward Ned Harvey (lopser) wrote:
> > From: Bill Bogstad [mailto:bogs...@pobox.com]
> >
> > 1. If one uses the full hostname for site identification then the
> > generated key pair for wiki.foo.com would be different then
> > for forums.foo.com. This seems like it c
> From: Bill Bogstad [mailto:bogs...@pobox.com]
>
> 1. If one uses the full hostname for site identification then the
> generated key pair for wiki.foo.com would be different then
> for forums.foo.com. This seems like it could be annoying depending
> on how a site implements site-wide logins.
A
> From: Jonathan Nicol [mailto:jni...@backnine.org]
> Sent: Tuesday, March 25, 2014 12:59 PM
>
> Everyone, pretty-please stop double-posting to both lists.
>
> Sorry if this is somehow out-of-line, but my inbox is full enough :)
It looks like the de-facto decision has been made to move the conve
> From: Paul Graydon [mailto:p...@paulgraydon.co.uk]
>
> I'll happily confess that cryptography is a field I haven't spent much time
> looking at, and I might also be misinterpreting what you're saying, but it
> seems odd to be generating a keypair based one two pieces of publicly
> identifiable i
On Mon, Mar 24, 2014 at 10:10 PM, Edward Ned Harvey (lopser)
wrote:
> If you login to servers that utilize bcrypt, scrypt, pbkdf2, etc, to salt &
> stretch your password for storage in a backend database, then you are
> vulnerable to phishing attacks, and cross-site attacks if you repeat
> passwor
How does this compare to Steve Gibson's SQRL?
Sent from my iPhone
On Mar 24, 2014, at 9:10 PM, "Edward Ned Harvey (lopser)" <
lop...@nedharvey.com> wrote:
If you login to servers that utilize bcrypt, scrypt, pbkdf2, etc, to salt
& stretch your password for storage in a backend database, then y
Everyone, pretty-please stop double-posting to both lists.
Sorry if this is somehow out-of-line, but my inbox is full enough :)
thanks,
Jonathan
___
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This
On Tue, Mar 25, 2014 at 10:58:32AM +, Edward Ned Harvey (lopser) wrote:
> > From: Chase Hoffman [mailto:driftpeas...@driftpeasant.org]
> >
> > How does this compare to Steve Gibson's SQRL?
>
> Well, there's basically no similarity. They're both alternatives to sending
> your password to a s
> From: Chase Hoffman [mailto:driftpeas...@driftpeasant.org]
>
> How does this compare to Steve Gibson's SQRL?
Well, there's basically no similarity. They're both alternatives to sending
your password to a server, and the similarity ends there.
In CBcrypt, the servername, username, and passwor
19 matches
Mail list logo
