[BBLISA] Reusing Passwords on Different Sites Should be OK
Edward Ned Harvey (bblisa4)
bblisa4 at nedharvey.com
Fri Sep 18 06:58:59 EDT 2015
> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Patrick Cable
> Sent: Thursday, September 17, 2015 6:17 PM
>
> One thing I see missing from both your product/library github
> page/indiegogo kickstarter page is a well-defined threat model. You mention
> your use case and implementation (and I understand it), but I'm curious
> about what boundaries/assumptions/etc. you had in mind when you built
> the system?
Everybody knows they shouldn't login to anything over http://
We've all been trained to use https:// and ensure we have green checkmark security shields or whatever.
Because thousands of random unknown employees maintaining the routers on the Internet could access the http traffic.
When you login via HTTPS, to google, facebook, twitter, and thousands of other sites, there are still thousands of unknown employees maintaining the load balancers and web servers at the other end, who could access the traffic.
It is a no-brainer. You should not send your password or encryption keys, even over https. You need to prove you know your secret without exposing it.
More information about the bblisa
mailing list