[153471] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Peter Kristolaitis)
Thu Jun 7 09:37:48 2012
Date: Thu, 07 Jun 2012 09:36:18 -0400
From: Peter Kristolaitis <alter3d@alter3d.ca>
To: nanog@nanog.org
In-Reply-To: <20120607132240.GO32960@teardrop.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is a cryptographically signed message in MIME format.
--------------ms090806020902040505050101
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
On 6/7/2012 9:22 AM, James Snow wrote:
> On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
>> Imaging signing up for a site by putting in your email and pasting
>> your public key.
> Yes! Yes! Yes!
>
> I've been making this exact argument for about a year. It even retains
> the same "email a link" reset mechanism when someone needs to reset
> their key.
>
> A common counter-argument is, "But ordinary Internet users won't
> understand SSH keys." They don't need to! The idea is easily explained
> via a lock-and-key metaphor that people already understand. The UI for
> walking users through key creation is easily imagined.
>
>
> -Snow
Oh yeah, I can just imagine that "lock and key" conversation now...
"Imagine if the website has a lock on it, and you tell them what key you =
want to use by giving them a copy."
"But if they have a copy of my key, couldn't they use it to open all of=20
the other locks I've set up to use it?"
"(explain public key crypto)"
"(drool, distraction by the latest Facebook feature)"
The other problem with this approach is that, as bad as trusting remote=20
sites to do security properly is, I'm not sure that putting a "one key=20
to rule them all" on users' machines is that much better, given the=20
average user's penchant for installing malware on their machine because=20
"FunnyMonkeyScreensaver.exe" sounded like such a good idea at the=20
time... I suspect we'd see a huge wave of malware whose sole purpose=20
is to steal public keys (and you KNOW users won't password-protect their =
private keys!). Plus, now you have the problem of users not being able =
to login to their favourite websites when they're using a friend's=20
computer, internet cafe, etc, unless they've remembered to bring a copy=20
of their private key with them.
I think public key auth for websites is a great idea for geeks who=20
understand the benefits, limitations and security concerns, but I have=20
serious doubts that it would hold up when subjected to the "idiot test".
- Pete
--------------ms090806020902040505050101
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINNzCC
BjQwggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT
DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3
MTAyNDIxMDI1NVoXDTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T
dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs
aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOM
KqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi
8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8M
DP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y
2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//CsFnB9+uaYSlR65cdG
zTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzAfBgNV
HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH
MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v
c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93
d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqp
Jw3I07QWke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Mic
c/NXcs7kPBRdn6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9Jphw
UPTXwHovjavRnhUQHLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMc
p+reg9901zkyT3fDW/ivJVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT
+HBDYtbuvexNftwNQKD5193A7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1X
hwby6mLhkbaXslkVtwEWT3Van49rKjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvO
hNz/QplNa+VkIsrcp7+8ZhP1l1b2U6MaxIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC
0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqh
AChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H75dVCV33K6FuxZrf09yTz+Vx/PkdRUYk
XmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIG+zCCBeOgAwIBAgICEokwDQYJKoZIhvcNAQEF
BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT
ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD
bGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMTA1MDgxNTEwNTha
Fw0xMzA1MDkyMTA4MzVaMIGSMSAwHgYDVQQNExc0MjE4ODQtNDVqTDRIVGMzTDVuT2FOaTEL
MAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEbMBkGA1UE
AxMSUGV0ZXIgS3Jpc3RvbGFpdGlzMSEwHwYJKoZIhvcNAQkBFhJhbHRlcjNkQGFsdGVyM2Qu
Y2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsUX+h3P4+teBQ39uYQR5VTP3L
oMRhNrqx6aO/6OucI4JwVyjl91XXtj73S528mDxXIvAfTfK9Iy85famshdnq258xoZb260wQ
ZJ0Ztd01GPEdShmY/KnFjtP+fw1ojYP0q/9BaWKqQKUV2WQVvrJu5sEx/nT/ssKPhBjGpNde
/A8ThZI8dq4VMd4X9gputmJCR11csPd/Xlj0c/JT3ncY3DqhNrCKpytB91yQ3KRhakPOiuJg
9eEIQaRAcg+8r61O/AUDYKda5EiOhMjBFSEW5OttQDuBGrs1DqI1SdG0+6MRw+/dy+p1Y8hr
BDquedPXDXXASjdDhPB5b25H9FZbAgMBAAGjggNdMIIDWTAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFJl6wVm9f63G
9h7+BJPIzTmpB8UsMB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MB0GA1UdEQQW
MBSBEmFsdGVyM2RAYWx0ZXIzZC5jYTCCAdEGA1UdIASCAcgwggHEMIIBwAYLKwYBBAGBtTcB
AgIwggGvMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRm
MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRm
MIIBRQYIKwYBBQUHAgIwggE3MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MAMCAQEaggEKVGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUg
Q2xhc3MgMiBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgcG9saWN5IGFuZCBtYXkgYmUgcmVsaWVkIHVwb24gb25seSBm
b3IgdGhlIGludGVuZGVkIHB1cnBvc2UgYW5kIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlp
bmcgcGFydHkgb2JsaWdhdGlvbnMuIExpYWJpbGl0eSBhbmQgd2FycmFudGllcyBhcmUgbGlt
aXRlZCEwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0dTIt
Y3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3Rh
cnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlh
LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQA672U9w+xX
kDPTd9PEbcZb2vQoUPbHHlf47y9n0zBsZGfOpK1PtcXVLEwpVdWzfiC17Sy6TjdkkcBlm8FU
9uiXQT9QI2j72sdxp3Ij2y13lhN909QxwU70e9hyrXEmemKdvC7Vqk8UDxH36uN+9i9+TsS+
ZDQ6OTpQXDGkEqxljWVB9QrYMoyPcqkg1T9CRXSKQsOyE1B21b9LlOOMKYDvq+PnKcVPL98i
1PebX0HsJUkwsH87Wl7vFUO+6KJ/6O/3jUY/yV2e1yiQF3d72FtAL9hgVXvr1cxTXy/dF3z7
St5Ygz72USSyT+Do1fJiEqJvWl3DaCYNNTCD0Tf+4MCYMYIDzTCCA8kCAQEwgZMwgYwxCzAJ
BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGln
aXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFBy
aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQICEokwCQYFKw4DAhoFAKCCAg4wGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwNjA3MTMzNjE4WjAjBgkq
hkiG9w0BCQQxFgQUjQu1pCJBxF9aEdEhYLNIaNSiq4EwXwYJKoZIhvcNAQkPMVIwUDALBglg
hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGkBgkrBgEEAYI3EAQxgZYwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD
ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkg
SW50ZXJtZWRpYXRlIENsaWVudCBDQQICEokwgaYGCyqGSIb3DQEJEAILMYGWoIGTMIGMMQsw
CQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQ
cmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAhKJMA0GCSqGSIb3DQEBAQUABIIBAJgz
7zfKcDvaeXDEgotSaj881GF92j9KTN2jyxztfqPe3ncnr8F9zGIga0DgB+MxB5gTW4i4HaVU
71No1lwNorDgRx0mVqqoPLwTVstmkNQAu98T9ht7FkJYeFZrxhVjPEKF7BHZG2AtvKW0BgBK
PH0r0quZci1Rxw9OuaPGM0y/ZTiGzPwKQfujRsPbwxwu3Phc9C6FtBZW6B73Srtl18+hBMqk
NyCwST8VUq87i201bkHiynehELpsXpj1mdM8GwRgm7AXnH/mBPIn11saiCyKLaWMSBBHzpJ2
ox1EAV+RBb4457v4DSaYvjzMsCTwaYZvZmmooiIQWYB5umJXoO4AAAAAAAA=
--------------ms090806020902040505050101--
