On Thu, Apr 23, 2020 at 4:57 PM Michael Thomas <[email protected]> wrote: > If you want an actual verifiable current day problem which is a clear > and present danger, you should be running as fast as you can to retrofit > every piece of web technology with webauthn to get rid of over the wire > passwords. > > I think I posted about this before and got a collective ho-hum.
Yeah, it came up last week on an ARIN group and I called it "flavor of the month." It does some interesting things on a strictly technical level but it's a solution in search of a problem. You're not at significant risk that your password will be captured from inside an encrypted channel and that's all webauthn adds to other widely deployed technologies that also haven't caught on. > that is infinitely more serious than some age-old js > breaches. and it is especially critical for the equipment that nanog > members run every day to configure, monitor, and manage. Ironically, it > requires... javascript browser-side. You think sending encrypted passwords over the wire is more of a problem than intentionally allowing untrusted code to run on the same machine that contains personally sensitive information? Really? Do you understand that when malicious code gains a sufficient foothold on your computer, webauthn protects exactly squat? Regards, Bill Herrin -- William Herrin [email protected] https://bill.herrin.us/
