gmail security is a joke

Saku Ytti saku at
Tue May 26 16:11:51 UTC 2015

On (2015-05-26 17:44 +0200), Owen DeLong wrote:


> I think opt-out of password recovery choices on a line-item basis is not a bad concept.

This sounds reasonable. At least then you could decide which balance of
risk/convenience fits their use-case for given service.

> OTOH, recovery by receiving a token at a previously registered alternate email address
> seems relatively secure to me and I wouldn???t want to opt out of that.

It's probably machine sent in seconds or minute after request, so doing
short-lived BGP hijack of MX might be reasonably easy way to get the email.

> Recovery by SMS to a previously registered phone likewise seems reasonably secure
> and I wouldn???t want to opt out of that, either.

I have tens of coworkers who could read my SMS.

> Really, you don???t need to strongly authenticate a particular person for these accounts.
> You need, instead, to authenticate that the person attempting recovery is reasonably
> likely to be the person who set up the account originally, whether or not they are who
> they claimed to be at that time.

As long as user has the power to choose which risks are worth carrying, I
think it's fine.
For my examples, I wouldn't care about email/SMS risk if it's
linkedin/twitter/facebook account. But if it's my domain hoster, I probably
wouldn't want to carry either risk, as the whole deck of cards collapses if
you control my domains (all email recoveries compromised)


More information about the NANOG mailing list