LinkedIn password database compromised
Randy Bush
randy at psg.com
Wed Jun 20 23:33:47 UTC 2012
> The fact that it is symmetric leads to the problem.
>
> Even if the attacker had fully compromised the server end they get
> nothing. There's no reply attack. No shared secret they can use to log
> into another web site. Zero value.
with per-site passphrases there is no cross-site threat. there is
replay, as you point out.
would be interested to hear smb on this.
> Yep. Don't get me wrong, there's an RFC or two here, a few pages of
> code in web servers and browsers. I am not asserting this is a trival
> change that could be made by one guy in a few minutes. However, I am
> suggesting this is an easy change that could be implemented in weeks
> not months.
did you say RFC in the same sentence as weeks? but i definitely agree
that we should be able to do better than we are now.
randy
More information about the NANOG
mailing list