[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 9/7/2011 3:42 PM, Marsh Ray wrote:
On 09/07/2011 03:19 PM, Julian Yon wrote:

My bank forces me to enter part of my password using unobscured
dropdowns "for security". Sure, it avoids keyloggers, but what about
*someone standing behind me*?

Do they have a gun? Otherwise, cover the screen with your hand or ask them to look away.

Realistically, this is nowhere near the biggest threat these days. It's mostly a holdover from security guidance from shared computing labs and pre-internet days.

Yes, be aware of your physical surroundings. No, don't think that it keeps you one bit safe online, unless you're that special case where your adversary is physically present.

- Marsh
Respectfully, I think some may have missed the point of (part of) my earlier comments & Julian's about PWs. Admittedly, we got off topic. It has nothing to do w/ Tor or fake certificates. So, for me, feel free to drop the topic about lack of PW security. But, the WHOLE point of my comments was (certificates, PWs, whatever), corporations say they are using highly secure methods & technology online, when in fact they often aren't. And yes, I have complained & gotten the canned replies, "we take customers' security & online safety very seriously & use high security standards..."

My point was (& I think Julian's) was, aside from certificate issues, various practices of many sites where security is vitally important, their WORDS "~ we take customers' security & online safety very seriously & use high security standards...," and their ACTIONS don't match. It's not a matter of if one * could * "cover their screen" when typing an exposed PW, it's that it's generally a bad idea, that could be easily corrected. Limiting PWs to 10 alpha numeric chars (w/ NO spec. chars) is a bad idea & AFAIK, there's no reason a multi bill. corp. like Vanguard invstmts couldn't allow more chars & special chars.

I also asked a question about options for users, when they are confronted w/ a warning that the site's certificate authenticity can't be verified? If it's your bank & you need to transact business - THAT day - what can you do except call & * maybe * talk to IT? If they can confirm they're aware of problem, one could probably feel safe in accessing the site anyway. What if you can't reach IT?
tor-talk mailing list