[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

Thomas Goirand wrote on 26/04/2020:
> On 4/25/20 11:14 PM, Bernd Zeimetz wrote:
>> Actually I think 2FA should be enforced for everybody.
>> Even debian.org related passwords might get lost.
> I use strong password, stored with keepassxc, with the password db
> encrypted using the HMAC of my yubikey. In what way is this not safe
> enough already? 2FA will add nothing in my case, just more annoyance.

It's still one static shared secret you need to enter every time. If it
gets stolen, because your browser or your computer is compromised, or in
a MITM attack where the attacker gained access to a valid certificate
for salsa.debian.org [1,2], your account is gone. It gets much, much
more difficult with 2FA.

The amount of annoyance added by the GitLab 2FA is extremely limited,
and implements *the* standard for web 2FA (webauthn). Personally I'd
like to see it required to get the DD status on salsa, or at least to
all whole Debian team.

In general, we are switching from the cumbersome client certificate
approach of sso.debian.org to plain passwords. This doesn't sound right
to me. I think that with the tools we already have 2FA is as near as we
can get to the sweet spot of usability vs. security.


[1] https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise
[2] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack,
mostly to say that state backed attacks to the CA trust model do exist.

Reply to: