nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LinkedIn password database compromised

From: Randy Bush <randy () psg com>
Date: Thu, 21 Jun 2012 08:33:47 +0900
The fact that it is symmetric leads to the problem.

Even if the attacker had fully compromised the server end they get
nothing.  There's no reply attack.  No shared secret they can use to log
into another web site.  Zero value.


with per-site passphrases there is no cross-site threat.  there is
replay, as you point out.  

would be interested to hear smb on this.


Yep.  Don't get me wrong, there's an RFC or two here, a few pages of
code in web servers and browsers.  I am not asserting this is a trival
change that could be made by one guy in a few minutes.  However, I am
suggesting this is an easy change that could be implemented in weeks
not months.


did you say RFC in the same sentence as weeks?  but i definitely agree
that we should be able to do better than we are now.

randy
Previous By Date Next
Previous By Thread Next

Current thread: