Re: Salsa update: no more "-guest" and more

To: debian-devel@lists.debian.org
Subject: Re: Salsa update: no more "-guest" and more
From: Bernd Zeimetz <bernd@bzed.de>
Date: Tue, 28 Apr 2020 14:30:18 +0200
Message-id: <[🔎] e0867d6d-d605-d6a4-2022-bb3a9fb58461@bzed.de>
In-reply-to: <[🔎] 6cd09e8d-a16a-9132-6ba7-491074650415@debian.org>
References: <20200418213339.GB32260@waldi.eu.org> <[🔎] 8555e1c9-2ae9-fc7e-8278-4e4e1bf1b0f1@bzed.de> <[🔎] 20200425164941.4nrgwu636mk564y5@shell.thinkmo.de> <[🔎] B4960B93-DB48-469A-A2A2-6E2D7383D219@bzed.de> <[🔎] 1aa1982f-e333-df39-121c-b7d0ceecaf3c@debian.org> <[🔎] 45946438-59a6-f2f3-98b0-3610c4982441@bzed.de> <[🔎] b8e504e4-5281-5833-750f-f613b26136b4@debian.org> <[🔎] f8de3cfd-6d0b-7806-6d86-7e492898374c@debian.org> <[🔎] d1112a8c-712b-d7f0-5b66-96fc57d26598@debian.org> <[🔎] 6cd09e8d-a16a-9132-6ba7-491074650415@debian.org>

On 4/27/20 2:49 AM, Paride Legovini wrote:
> An active MITM attack is way more complicated than just sniffing and
> storing traffic for later analysis. Changing the 2FA or password is not
> a great strategy, as you would immediately realize what's going on.
> Silently gaining access to an account allows to act when the conditions
> are the best from the attacker's point of view.

Exactly.
An attacker would gain access to a few accounts, wait and see what they
can do with the gained permissions in the long run. And at some point
compromise something.

2FA stops this kind of attacks completely. Without a current 2fa token,
your password knowledge is useless.

Gaining access with a MITM attack once gives you a very short amount of
time to do whatever you want to do, as your login will be gone as soon
as the next login without MITM happens.

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Reply to:

Follow-Ups:
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>

References:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Paride Legovini <paride@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Paride Legovini <paride@debian.org>

Prev by Date: Re: Salsa update: no more "-guest" and more
Next by Date: Re: Salsa update: no more "-guest" and more
Previous by thread: Re: Salsa update: no more "-guest" and more
Next by thread: Re: Salsa update: no more "-guest" and more
Index(es):
- Date
- Thread