On Sat, Aug 09, 2014 at 07:12:58PM +0200, Pierre-Yves Chibon wrote: > On Thu, Aug 07, 2014 at 11:44:03PM +0200, Till Maas wrote: > > On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote: > > > > > The key ideas are: > > > ================== > > > > > * the username, password and OTP are not sent in the same request (otherwise, if > > > $attacker intercept this request, $it has all the info at once) > > > > What kind of attacker is able to only intercept this one request, but > > cannot intercept the second request as well? This assumed threat seems > > to lead to more complexity which might allow for more errors without an > > obvious gain in security from what I can see. > > So I just discussed this with Kanarip again. > The idea is to decouple the username/password from the OTP so that if you have > 10 requests at the same time, then it's harder for the MITM to correlate which > OTP refers to which username/password sent before. > > To do the two requests and still have the correlation on the server side which > OTP belongs to which username/password, Kanarip had two propositions: > - Keep the connection open and send the second requests > - Provide to back from username/password a one time token that will be returned > with the OTP > > On the other side, Kanarip did say it's all a matter of compromise and we just > need to make a tradeoff on what we want and which risk we're ready to take. Oh one more remark, he said that if we send username/password/otp in one single request, we should ban time-based OTP Pierre _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
