[PLUG] Secret message web page

[Quentin Hartman]

On 4/16/07, Michael Rasmussen <mikeraz at patch.com> wrote:
>
>
> Charlie Schluting wrote:
> > Everyone is always uppidy about MITM attacks. The truth is...
>
> The truth is Keith's use for this isn't worth the effort of setting up a
> MITM.
>
> He has described a system that makes the cost of compromise higher than
> the reward
> of compromising.  That's good security.


I agree with this sentiment entirely. However, looking at the problem from
this angle, is the information sensitive enough to warrant the amount of
work required to intercept the plaintext email that would have been sent
normally? Only Keith can really answer that, but as mentioned previously
with regards to MITM attacks, I'd wager that the effort required to
intercept that mail is pretty substantial already, corrupt ISP admins aside.

Other than that, this approach has a couple of other effects. It heightens
awareness of security amongst people who wouldn't really think about it
otherwise (good), but it does so in a non-standard way (bad) that isn't
likely to be usable when working with someone other than Keith (bad) but it
is something that they can grasp (good).

Personally, my solution to this problem is to either get this sort of
information over the phone or in person when possible. When that is not
possible I change the password immediately if it allows access to sensitive
information. For most stuff though, the value of my secrets are so low that
anyone going to the trouble of intercepting them is in for a net loss on the
project, so I don't worry about it much.

-- 
-Regards-

-Quentin Hartman-