mail admins?

Raymond Burkholder ray at oneunified.net
Fri Apr 24 02:57:22 UTC 2020


On 2020-04-23 7:31 p.m., Michael Thomas wrote:
> On 4/23/20 6:20 PM, William Herrin wrote:
>> On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike at mtcc.com> wrote:
> Passwords over the wire are the *key* problem of computer security. 
> Nothing else even comes close. One only needs to look at the LinkedIn 
> salting problem to know how trivial it is to exploit password reuse. 
> They are a big company and they still absolutely failed. There are a 
> trillion smaller sites who are just as vulnerable, and all it takes is 
> one.
>> You think sending encrypted passwords over the wire is more of a
>> problem than intentionally allowing untrusted code to run on the same
>> machine that contains personally sensitive information? Really? Do you
>> understand that when malicious code gains a sufficient foothold on
>> your computer, webauthn protects exactly squat?
>
> Um, they are not encrypted. The are plain text after TLS unencrypts 
> them. That is their Achilles Heal.
>

The ironic catch 22 is that libsodium.js runs in the browser to encrypt 
the passwords before being sent over the wire.  But happens to be 
javascript.



More information about the NANOG mailing list