[BBLISA] Reusing Passwords on Different Sites Should be OK

[John Stoffel]

>>>>> "Patrick" == Patrick Cable <pc at pcable.net> writes:

Patrick> Other thoughts: Does CBcrypt require that the client machine
Patrick> not be compromised? How about the confidentiality/integrity
Patrick> of the link when the public key component is first sent to
Patrick> the provider (yay MITMing with a different key)? It seems
Patrick> like you are putting a lot of trust into DNS, which isn't a
Patrick> very trustworthy service to begin with (but we all do that a
Patrick> lot today anyways; still worth noting)

This is a great comment here, because I just spent an inordinate
amount of time fixing my father-in-law's laptop due to some virus
changing his DNS settings to point him to a bogus set of DNS servers
which were doing MinM attacks on him and showing bogus
flash/javascript warnings in his browsers.  

I should *really* have remembered to turn on https everywhere in his
browser, but the one web site he really wants to goto uses an invalid
Cert.  Sigh....

John