[180168] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed May 27 08:23:48 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20150526161151.GA14841@pob.ytti.fi>
Date: Wed, 27 May 2015 14:19:13 +0200
To: Saku Ytti <saku@ytti.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On May 26, 2015, at 6:11 PM, Saku Ytti <saku@ytti.fi> wrote:
>=20
> On (2015-05-26 17:44 +0200), Owen DeLong wrote:
>=20
> Hey,
>=20
>> I think opt-out of password recovery choices on a line-item basis is =
not a bad concept.
>=20
> This sounds reasonable. At least then you could decide which balance =
of
> risk/convenience fits their use-case for given service.
>=20
>> OTOH, recovery by receiving a token at a previously registered =
alternate email address
>> seems relatively secure to me and I wouldn???t want to opt out of =
that.
>=20
> It's probably machine sent in seconds or minute after request, so =
doing
> short-lived BGP hijack of MX might be reasonably easy way to get the =
email.
If someone has the ability to hijack your BGP, then you=E2=80=99ve got =
bigger problems than
having them take over your Gmail account.
>=20
>> Recovery by SMS to a previously registered phone likewise seems =
reasonably secure
>> and I wouldn???t want to opt out of that, either.
>=20
> I have tens of coworkers who could read my SMS.
That=E2=80=99s interesting=E2=80=A6 Why do you choose to give access to =
your personal SMS messages
to so many of your coworkers?
>=20
>> Really, you don???t need to strongly authenticate a particular person =
for these accounts.
>> You need, instead, to authenticate that the person attempting =
recovery is reasonably
>> likely to be the person who set up the account originally, whether or =
not they are who
>> they claimed to be at that time.
>=20
> As long as user has the power to choose which risks are worth =
carrying, I
> think it's fine.
> For my examples, I wouldn't care about email/SMS risk if it's
> linkedin/twitter/facebook account. But if it's my domain hoster, I =
probably
> wouldn't want to carry either risk, as the whole deck of cards =
collapses if
> you control my domains (all email recoveries compromised)
We agree that different risks are appropriate for different levels of =
sensitivity.
Owen
