[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6986 [Flashproxy]: Set up two-factor auth and app-specific password for email registration helper

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #6986 [Flashproxy]: Set up two-factor auth and app-specific password for email registration helper
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 03 Oct 2012 23:30:50 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 03 Oct 2012 19:30:59 -0400
In-reply-to: <043.e1904f595dce86197fe5b0a090c07754@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.e1904f595dce86197fe5b0a090c07754@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#6986: Set up two-factor auth and app-specific password for email registration
helper
-------------------------+--------------------------------------------------
 Reporter:  dcf          |          Owner:  dcf
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:     
Component:  Flashproxy   |        Version:     
 Keywords:               |         Parent:     
   Points:               |   Actualpoints:     
-------------------------+--------------------------------------------------

Comment(by dcf):

 Replying to [ticket:6986 dcf]:
 > 1. we can keep the master Gmail password offline, and only allow the
 facilitator access to IMAP under a different password. A breakin on the
 facilitator would not, for example, allow the intruder to set a new Gmail
 forwarding rule.

 I have tried setting this up, and now I'm not so sure that the
 application-specific password cannot be used to access the Google account.
 When I create the password, there is a notice:

   "Note that this password grants complete access to your Google Account."

 On the other hand, when I try to use that password to log in to Gmail with
 a web browser, it fails with the message

   "Please use your account password instead of an application-specific
 password."

 So I don't know exactly what the privileges are of this password. I think
 that having an application-specific password is good for security, even if
 it turns out to be root-equivalent and bypass SMS verification, because
 1. We can in the worst case completely delete the account using the master
 password, if the account is compromised.
 2. We can in theory detect when the application-specific password has been
 unauthorizedly used by examining the "recent activity" page in Gmail.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6986#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #6649 [EFF-HTTPS Everywhere]: Notifications in google plus do not work with https everywhere enabled
Next by Author: [tor-bugs] #7037 [Tor]: When we refuse a create cell due to onion queue length, we should say END_CIRC_REASON_RESOURCELIMIT
Previous by thread: Re: [tor-bugs] #6649 [EFF-HTTPS Everywhere]: Notifications in google plus do not work with https everywhere enabled
Next by thread: Re: [tor-bugs] #6986 [Flashproxy]: Set up two-factor auth and app-specific password for email registration helper
Index(es):
- Author
- Thread