[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

Thomas Goirand wrote on 27/04/2020:
> On 4/27/20 12:18 AM, Paride Legovini wrote:
>> It's still one static shared secret you need to enter every time. If it
>> gets stolen, because your browser or your computer is compromised, or in
>> a MITM attack where the attacker gained access to a valid certificate
>> for salsa.debian.org [1,2], your account is gone. It gets much, much
>> more difficult with 2FA.
> You're mixing many things here, so let's debunk one by one.

Well, I gave you two examples.

> 1/ If my browser or computer is compromised, then it's game over anyways.

This is true if you get *fully* compromised, but you could be affected
by a very narrow vulnerability which causes e.g. some browser memory to
leak under very specific conditions, requiring a carefully crafted
attack. If you happen to be affected by this kind of vulnerability
(spectre?) the game is far from over.

> 2/ If what the attacker is trying to get access to your account (and
> eventually later, change the 2FA / password couple), then having 2FA
> doesn't help against MITM.

An active MITM attack is way more complicated than just sniffing and
storing traffic for later analysis. Changing the 2FA or password is not
a great strategy, as you would immediately realize what's going on.
Silently gaining access to an account allows to act when the conditions
are the best from the attacker's point of view.

> 3/ I don't enter anything, my password manager does it for me (so it
> doesn't go into the clipboard). Now, X-Window could be hacked, but that
> really means we're in case 1.

My point is that *something* enters a password in a web form. In this
case it doesn't really matter if this is done by a program or by you
pressing keys on a keyboard.

Anyway, I have no doubt your way of managing passwords is excellent, but
I hope I've been able to show that "2FA will add nothing in my case" is
not true.


Reply to: