[BBLISA] 19,000 person company passwords stolen via HTTPS

Tue Oct 6 10:44:29 EDT 2015

> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Josh Smift
> 
> ENH> All because your password gets sent to the company over the HTTPS
> ENH> connection. There is zero upside to sending the password, when there
> ENH> exist standard techniques to prove you know something without
> ENH> exposing the thing.
> 
> Unless I've misunderstood how this works, though, the "you" who gets to
> make this decision is the server, not the client. Like, there's nothing I
> as a client can do to choose to send one-time credentials rather than
> reusable ones, if the server doesn't support it, right?

Oh, heheeh. I cross-posted on bblisa and lopsa. I see I'm not the only person subscribed to both.  ;-)  So I guess I have to cross-post the reply too:

As a client, you can choose to use services that don't require access to your password, encryption keys, or data. If you use services such as Dropbox, Google, etc, that require you to provide them access, you can inform them this is something you care about (maybe you can't actually reach Dropbox or Google, but others you can actually reach) and you can choose to switch to competing services that don't have that requirement.

> (So maybe what you mean here is "there's zero upside

What I mean is, there is zero benefit and all downside, to exposing your password to any servers. All servers and services worldwide should adopt the new standard. Most services aren't there yet.

> to asking your
> customers to send reusable credentials"

There wasn't any mention of reusable credentials in this thread, but I know you're talking about reusing credentials because of the previous thread about "it should be ok to reuse passwords, as long as passwords aren't exposed to servers." But that's not a core focus - gaining the ability to reuse passwords is just a nice side-effect and isn't the main reason you should care - cybercriminals including hackers and bad employees are the reason you should care. Plus the erosion of any legal right to privacy. Privacy is not about keeping secrets, it's about choosing who you share your personal information with, choosing who's included in your communications. If you're a high profile person, or you belong to a persecuted minority, or you have some sort of controversial belief, you cannot feel safe if you don't know who's included in your communications. The right to privacy is necessary, if you want freedom of speech, freedom of religion, freedom of thought.