[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/7/2011 3:42 PM, Marsh Ray wrote:
Respectfully, I think some may have missed the point of (part of) my
earlier comments & Julian's about PWs. Admittedly, we got off topic.
It has nothing to do w/ Tor or fake certificates.
So, for me, feel free to drop the topic about lack of PW security. But,
the WHOLE point of my comments was (certificates, PWs, whatever),
corporations say they are using highly secure methods & technology
online, when in fact they often aren't. And yes, I have complained &
gotten the canned replies, "we take customers' security & online safety
very seriously & use high security standards..."
On 09/07/2011 03:19 PM, Julian Yon wrote:
My bank forces me to enter part of my password using unobscured
dropdowns "for security". Sure, it avoids keyloggers, but what about
*someone standing behind me*?
Do they have a gun? Otherwise, cover the screen with your hand or ask
them to look away.
Realistically, this is nowhere near the biggest threat these days.
It's mostly a holdover from security guidance from shared computing
labs and pre-internet days.
Yes, be aware of your physical surroundings. No, don't think that it
keeps you one bit safe online, unless you're that special case where
your adversary is physically present.
My point was (& I think Julian's) was, aside from certificate issues,
various practices of many sites where security is vitally important,
their WORDS "~ we take customers' security & online safety very
seriously & use high security standards...," and their ACTIONS don't
match. It's not a matter of if one * could * "cover their screen" when
typing an exposed PW, it's that it's generally a bad idea, that could be
easily corrected. Limiting PWs to 10 alpha numeric chars (w/ NO spec.
chars) is a bad idea & AFAIK, there's no reason a multi bill. corp. like
Vanguard invstmts couldn't allow more chars & special chars.
I also asked a question about options for users, when they are
confronted w/ a warning that the site's certificate authenticity can't
be verified? If it's your bank & you need to transact business - THAT
day - what can you do except call & * maybe * talk to IT? If they can
confirm they're aware of problem, one could probably feel safe in
accessing the site anyway. What if you can't reach IT?
tor-talk mailing list