[154006] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Randy Bush)
Wed Jun 20 19:34:22 2012
Date: Thu, 21 Jun 2012 08:33:47 +0900
From: Randy Bush <randy@psg.com>
To: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <20120620231234.GA23251@ussenterprise.ufp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> The fact that it is symmetric leads to the problem.
>
> Even if the attacker had fully compromised the server end they get
> nothing. There's no reply attack. No shared secret they can use to log
> into another web site. Zero value.
with per-site passphrases there is no cross-site threat. there is
replay, as you point out.
would be interested to hear smb on this.
> Yep. Don't get me wrong, there's an RFC or two here, a few pages of
> code in web servers and browsers. I am not asserting this is a trival
> change that could be made by one guy in a few minutes. However, I am
> suggesting this is an easy change that could be implemented in weeks
> not months.
did you say RFC in the same sentence as weeks? but i definitely agree
that we should be able to do better than we are now.
randy
