[BBLISA] Reusing Passwords on Different Sites Should be OK
John Stoffel
john at stoffel.org
Fri Sep 18 10:25:49 EDT 2015
>>>>> "Patrick" == Patrick Cable <pc at pcable.net> writes:
Patrick> Other thoughts: Does CBcrypt require that the client machine
Patrick> not be compromised? How about the confidentiality/integrity
Patrick> of the link when the public key component is first sent to
Patrick> the provider (yay MITMing with a different key)? It seems
Patrick> like you are putting a lot of trust into DNS, which isn't a
Patrick> very trustworthy service to begin with (but we all do that a
Patrick> lot today anyways; still worth noting)
This is a great comment here, because I just spent an inordinate
amount of time fixing my father-in-law's laptop due to some virus
changing his DNS settings to point him to a bogus set of DNS servers
which were doing MinM attacks on him and showing bogus
flash/javascript warnings in his browsers.
I should *really* have remembered to turn on https everywhere in his
browser, but the one web site he really wants to goto uses an invalid
Cert. Sigh....
John
More information about the bblisa
mailing list