Re: Salsa update: no more "-guest" and more

To: debian-devel@lists.debian.org
Subject: Re: Salsa update: no more "-guest" and more
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 28 Apr 2020 15:20:21 +0200
Message-id: <[🔎] e8b300da-b737-8219-914c-2517976d9421@debian.org>
In-reply-to: <[🔎] e0867d6d-d605-d6a4-2022-bb3a9fb58461@bzed.de>
References: <20200418213339.GB32260@waldi.eu.org> <[🔎] 8555e1c9-2ae9-fc7e-8278-4e4e1bf1b0f1@bzed.de> <[🔎] 20200425164941.4nrgwu636mk564y5@shell.thinkmo.de> <[🔎] B4960B93-DB48-469A-A2A2-6E2D7383D219@bzed.de> <[🔎] 1aa1982f-e333-df39-121c-b7d0ceecaf3c@debian.org> <[🔎] 45946438-59a6-f2f3-98b0-3610c4982441@bzed.de> <[🔎] b8e504e4-5281-5833-750f-f613b26136b4@debian.org> <[🔎] f8de3cfd-6d0b-7806-6d86-7e492898374c@debian.org> <[🔎] d1112a8c-712b-d7f0-5b66-96fc57d26598@debian.org> <[🔎] 6cd09e8d-a16a-9132-6ba7-491074650415@debian.org> <[🔎] e0867d6d-d605-d6a4-2022-bb3a9fb58461@bzed.de>

On 4/28/20 2:30 PM, Bernd Zeimetz wrote:
> 
> 
> On 4/27/20 2:49 AM, Paride Legovini wrote:
>> An active MITM attack is way more complicated than just sniffing and
>> storing traffic for later analysis. Changing the 2FA or password is not
>> a great strategy, as you would immediately realize what's going on.
>> Silently gaining access to an account allows to act when the conditions
>> are the best from the attacker's point of view.
> 
> Exactly.
> An attacker would gain access to a few accounts, wait and see what they
> can do with the gained permissions in the long run. And at some point
> compromise something.
> 
> 2FA stops this kind of attacks completely. Without a current 2fa token,
> your password knowledge is useless.
> 
> Gaining access with a MITM attack once gives you a very short amount of
> time to do whatever you want to do, as your login will be gone as soon
> as the next login without MITM happens.

That's not the case. An MITM attack could gain a session and maintain it
open, while the end user would just notice "oh shit, I miss-typed the
2FA numbers, let's try again". Then the only thing the attacker needs to
do is keep the session open to not loose access...

Cheers,

Thomas Goirand (zigo)

Reply to:

Follow-Ups:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>

References:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Paride Legovini <paride@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Paride Legovini <paride@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>

Prev by Date: RE:Salsa update: no more "-guest" and more
Next by Date: Re: Salsa update: no more "-guest" and more
Previous by thread: Re: Salsa update: no more "-guest" and more
Next by thread: Re: Salsa update: no more "-guest" and more
Index(es):
- Date
- Thread