On 07/25/2015 10:03 PM, Andrew McGinnis wrote:
On Sat, 25 Jul 2015 11:43:47 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
Sadly few sites, not least of all my banks, use two-factor authentication. The best of them use what amounts to a 'double password' scheme.
What websites other than Google use two-factor authentication?
As I implied, quite a few bank. or their brokerage arms. In some countries and not others. It make sense to have financial transactions more aggressively secured. Perhaps we also need to force some classes of personal financial transactions to require personal certificates as well so as to have two way authentication, just as banks do when talking to each other for transfers.
Lets not even think about updates to the cars and other IoT things! If we do we might get very, very frightened.
Your mention of the subject starts to make me frightened.
Good. The whole IoT thing, not just the house but all the other things we are putting on the net for remote access; monitoring and control - is a vendor's feeding frenzy that is showing little concern for any aspect of security, never mind simple authentication.
Reading through the paper, I noticed that using HTTPS is considered an advisable security strategy. While I don't doubt that sending passwords via SSL is more secure than sending them as unencrypted plain text, I sometimes question the security of SSL. My understanding of the protocol is that a server sends its certificate to the client unencrypted to initiate the connection. If this is right, then an SSL certificate can be intercepted, and the encrypted internet traffic can be decrypted.
Its not that simple. The 'key exchange' problem existed for centuries. The Diffie & Hellman key Exchange system solved that https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange http://security.stackexchange.com/questions/45963/diffie-hellman-key-exchang... See also "Authenticated Diffie-Hellman" In practice, its used to set a session key which is then used to create a short lived key that is discarded after N packets, and another key generated by means of the session key. The public certificate is a convenience; strictly speaking that is RSA. There are other ways of doing that part of it. Strictly speaking you don't need a certificate to use SSL/TLS (see PSK, Kerberos and even anonymous cipher suites). Also: check the difference between SSL, TLS and HTTPS HTTPS is application layer protocol.
I would have ranked "be suspicious of everything" as most important on that survey.
Marcus Ranum said: One person's "paranoia" is another person's "engineering redundancy."
As a newcomer to this mailing list, I apologize for any of its conventions that I may have ignored.
Trim, Trim, Trim! -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org