On Tue, May 26, 2009 at 13:11, Seth Vidal <[email protected]> wrote: > On Tue, 26 May 2009, Till Maas wrote: > >> >> Why is this? Even an attacker that got access to your desktop without >> specifically targetting a Fedora infrastructure team member can afterwards >> compromise your phone, once he noticed that you use it to login to Fedora. >> The >> browser cache or e-mails may indicate that you login to Fedora and some >> config >> files for phone synchronization can show the attacker, how the phone can >> be >> compromised. > > Doesn't this same argument stand if you plug the yubikey into the machine? > Ie: sniff the incoming usb traffic and grab the "password" that the yubikey > has just inputted? > > -sv
Yubikey uses a one time password (OTP) so sniffing the output of the device would yield the key for that particular time and wouldn't be able to be used at a later time. Eric "Sparks" _______________________________________________ Fedora-infrastructure-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
