mail admins?

Michael Thomas mike at
Fri Apr 24 01:31:04 UTC 2020

On 4/23/20 6:20 PM, William Herrin wrote:
> On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike at> wrote:
>> If you want an actual verifiable current day problem which is a clear
>> and present danger, you should be running as fast as you can to retrofit
>> every piece of web technology with webauthn to get rid of over the wire
>> passwords.
>> I think I posted about this before and got a collective ho-hum.
> Yeah, it came up last week on an ARIN group and I called it "flavor of
> the month." It does some interesting things on a strictly technical
> level but it's a solution in search of a problem. You're not at
> significant risk that your password will be captured from inside an
> encrypted channel and that's all webauthn adds to other widely
> deployed technologies that also haven't caught on.

Passwords over the wire are the *key* problem of computer security. 
Nothing else even comes close. One only needs to look at the LinkedIn 
salting problem to know how trivial it is to exploit password reuse. 
They are a big company and they still absolutely failed. There are a 
trillion smaller sites who are just as vulnerable, and all it takes is one.

>> that is infinitely more serious than some age-old js
>> breaches. and it is especially critical for the equipment that nanog
>> members run every day to configure, monitor, and manage. Ironically, it
>> requires... javascript browser-side.
> You think sending encrypted passwords over the wire is more of a
> problem than intentionally allowing untrusted code to run on the same
> machine that contains personally sensitive information? Really? Do you
> understand that when malicious code gains a sufficient foothold on
> your computer, webauthn protects exactly squat?

Um, they are not encrypted. The are plain text after TLS unencrypts 
them. That is their Achilles Heal.

Yes, that is way more of a problem than code running in a sandbox. The 
one -- mischief. The other -- buh-bye retirement savings.

Please, get a clue.


More information about the NANOG mailing list