[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On 2020-04-23 7:31 p.m., Michael Thomas wrote:
> On 4/23/20 6:20 PM, William Herrin wrote:
>> On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <mike at mtcc.com> wrote:
> Passwords over the wire are the *key* problem of computer security. 
> Nothing else even comes close. One only needs to look at the LinkedIn 
> salting problem to know how trivial it is to exploit password reuse. 
> They are a big company and they still absolutely failed. There are a 
> trillion smaller sites who are just as vulnerable, and all it takes is 
> one.
>> You think sending encrypted passwords over the wire is more of a
>> problem than intentionally allowing untrusted code to run on the same
>> machine that contains personally sensitive information? Really? Do you
>> understand that when malicious code gains a sufficient foothold on
>> your computer, webauthn protects exactly squat?
> Um, they are not encrypted. The are plain text after TLS unencrypts 
> them. That is their Achilles Heal.

The ironic catch 22 is that libsodium.js runs in the browser to encrypt 
the passwords before being sent over the wire.  But happens to be