Egregoros

@phnt

If the bad guys already have someone on the inside of your organization, you're already breached. They don't need to hack anything because they already have access legitimately.

The only way I can think of to solve that problem has absolutely nothing to do with computers: create a culture of mutual loyalty between employer and employee, so that no one is willing to betray the company in the first place.

Good luck selling that proposal to the shareholders, though…

@nicholas @7666

@7666

True, but increasing friction (with password rotation, MFA, etc) only encourages people to find workarounds to defeat the security measures instead of actually using them. That's why NIST recommends doing away with password rotation entirely.

Although I suppose that same problem also applies to my earlier suggestion of using FOSS alternatives…

@nicholas @phnt

@phnt

I'm shocked to learn that Windows makes it hard to use a hardware token to log in. I remember Windows championing smart cards back in the 1990s when everybody else had never heard of anything other than passwords.

Old-fashioned card-slot-type smart card readers do seem to be a thing of the past now, but a cursory web search says some laptops have NFC interfaces and some smart cards are NFC enabled. That must be what the cool kids are using these days.

@nicholas @7666

@phnt

You don't need xkcd 538 to break a weak password. And since we're talking about the password people type in by hand to login to their computers, not passwords stored in a password manager, goodness knows that password is going to be weak.

I suppose it would take more than 5 minutes, though.

Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…

@nicholas @7666

@7666

Every organization bigger than a lemonade stand is under constant attack by billion-dollar crime gangs and nation-state intelligence agencies.

“Just enough not to get hacked” is a really high bar, we've got the weekly high-profile security-breach headlines to prove it, and all this security theater (password rotation, Zero Trust, etc) is, unsurprisingly, not working.

@nicholas @phnt

@7666

As for the SSO tax: if a vendor sleazes on you like that, then kick them to the curb and migrate to an alternative that won't. Preferably one that's FOSS and therefore *can't* do that to you.

If that means you have to do extra work? So be it. With the alternative being either sky-high fees or getting pwned, the extra work will pay for itself in short order.

If the alternative is FOSS but sucks? Pay somebody to work on it. Still cheaper in the long run.

@nicholas @phnt

@7666

True, but the people who do run companies are paying out the nose for overpriced software and still suffering catastrophic security breaches on a weekly basis. Doesn't seem to me like they've got it all figured out.

@nicholas @phnt

@phnt

Yes, that's the idea. MFA is security theater. The sum of a weak authentication method and a strong one is not significantly greater than the strong one by itself. The weak one is purely decorative. If both of them are weak then both of them are purely decorative. If both are strong then one is unnecessary.

And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!

@nicholas @7666

@phnt

And if you're worried people won't report a lost hardware token, you should be able to solve that with company policy:

“If you lose your hardware token, the punishment is we dock your pay by like $2 for a replacement token. If you lose your hardware token and try to cover up the fact that you lost it, the punishment is you're fired. Tokens are cheap; security breaches are expensive.”

@nicholas @7666

@phnt

Why are people at your workplace *using* passwords? Why is your workplace not using single-sign-on, hardware tokens, or the like?

@nicholas @7666

@phnt

Why are people at your workplace reusing passwords and forgetting accounts?

@nicholas @7666

@nicholas

Yes, and if they brute-force it at their leisure, they gain…access to the same system they've already breached.

You didn't think I was reusing passwords, did you? I'm not completely incompetent.

Actually, they don't even gain that, because I've been notified that there's been a breach and have already changed my password.

So exactly which threat is being mitigated by time-based password rotation?

@7666 @phnt

@phnt @7666

So…why is the thing that is supposed to make them work barely working?

@romin @7666 @phnt

If LE's servers are oversaturated then we definitely have a problem. 😬

@phnt @7666 @i

I'm not familiar with DANE, but according to Wikipedia https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities it has the rather serious problem that everything is signed with 1024-bit RSA.

This is…not great.

Replacing CAs with DNS server operators sounds like an okay idea in theory, but it'll only work if DNS server operators are prepared for the responsibility, which it doesn't sound like they are. Not yet, at least.

@phnt @7666

I mean, yeah, ACME is supposed to make it perfectly feasible to rotate certificates daily. If ACME is failing, then that's your real problem, not how often certificates expire.

@i @7666 @phnt

Yeah, but how do you make revocation not a pain?

@phnt @7666

Removing the TLS Client EKU is an epic fail and has made a lot of people justifiably upset, but that isn't the same thing as certificate rotation.

I certainly wouldn't mind if someone offered a better alternative to this rapid certificate rotation as it is rather inelegant, but I can't think of one. Can you?

Also, OCSP was even more inelegant. As someone who was dreading having to actually use it in a non-browser client app to validate a server certificate: good riddance.

@phnt @7666

As for that article on Let's Encrypt about rate limits, they seem to be saying that there isn't a problem; renewals won't trip your rate limit even if they are doubled in frequency. So…what's the problem?

@7666 @phnt

If we're still talking about company internal apps, then I'm screaming that passwords shouldn't exist at all. Certificate-based authentication or you're doing it wrong.