[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On 4/26/20 8:39 PM, Matt Palmer wrote:
> On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
>> On 4/26/20 5:07 PM, Matt Palmer wrote:
>>> On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:
>>>> On 4/26/20 7:32 AM, Rich Kulawiec wrote:
>>>>> On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:
>>>>>> $SHINYNEWSITE has only to entice you to enter your reused password which
>>>>>> comes out in the clear on the other side of that TLS connection.?? basically
>>>>>> password phishing. you can whine all you like about how stupid they are, but
>>>>>> you know what... that is what they average person does. that is reality. js
>>>>>> exploits do not hold a candle to that problem.
>>>>> Two equally large problems -- neither of which have anything to do with
>>>>> encryption in transport -- are backend security and password strength.
>>>>> In the former case, we've seen an ongoing parade of security breaches
>>>>> and subsequent dataloss incidents.  That parade is still going on.
>>>>> In the latter case, despite years of screaming from the rooftops, despite
>>>>> myriad enforcement attempts in code, despite another parade of incidents,
>>>>> despite everything, we still have people using "password" as a password.
>>>>> As a side note, I've found it nearly impossible to get users to
>>>>> understand that there is a qualitative and quantitative difference
>>>>> between "password used for brokerage account" and "password used for
>>>>> little league baseball mailing list".
>>>>> The minor problem of passwords-over-the-wire pales into insignificance
>>>>> compared to these (and others -- but that's a long list).
>>>> Um, those are exactly the consequences of passwords over the wire. If you
>>>> didn't send "password" over the wire, nobody could guess that's your
>>>> password on your banking site.
>>> I guess that's why best practices for authentication encourage the adoption
>>> of HTTP Digest authentication.  No password over the wire == no problems!
>> Which exactly zero deployment. And you need to store the plain-text password
>> on the server side. What could possibly go wrong?
> But you said that *passwords on the wire* were the biggest problem.  Digest
> auth solves that.  Also, you don't have to store the plain-text password.

You clearly know everything, while Steven, Paul, myself and the 
collective wisdom of w3c know nothing, so I'm out.