> From: Atom Powers [mailto:atom.pow...@gmail.com] > > Employees of "the company" already have access to all your information.
Depends on the company. For example, you would never assume the employees of a password manager could access your stuff. That would be insane! For a file sharing service - such as Dropbox - they don't need access to your stuff in order to share and sync it. Unless they're processing your information for you in a way that you find valuable, there's no need to give them access to your stuff in order to share it and sync it with other people of your choosing. > If a malicious actor can plant a DLL that captures passwords they could plant > a > DLL that captures session data and any data that you send to/from the > service. Which is why it's valuable to have it all encrypted before sending to/from the service, using passwords and keys that the service can't ever access. > I am all for increased security but I'm having a hard time finding the value > in > this. It could mitigate password re-use, a password compromised in one > place used to exploit an account in another place, but using service-specific > passwords already does that. For one, (see Third Party Doctrine) even if there are no bad actors in your services and they never get hacked, you waive your legal right to privacy by voluntarily exposing your information to any third party. That means it's completely legal for the government to search and seize everyone's information, without warrant or probable cause. For two, it's not just the authentication that should be encrypted without exposure to the service provider. The data itself should be encrypted, unless the service provider is doing meaningful processing that you value and therefore choose to grant them access in order to do that processing. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
