To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.nntpOpen lugnet.admin.nntp in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / NNTP / 848
847  |  849
Subject: 
 Re: E-mail authentication during posting
Newsgroups: 
 lugnet.admin.nntp
Date: 
 Wed, 20 Jun 2001 10:28:49 GMT
Viewed: 
 580 times
  
In lugnet.admin.nntp, Horst Lehner writes:
Hello Ross, hello everybody,

Can one of you set me straight: I assume the attacker has no access to my
email account. How could he, then, automate an email reply I have to send in
order to make my post valid?

If you automate the reponse to the authentication e-mail, all I have to do is
spoof your identity as Mad Hatter has done several times. Because the
authentication gets sent to your email regardless of where I post from, and
your response is automated, Lugnet gets the response it's looking for, and the
post is authenticated. If the response can be automated, people will automate
it. (Look at the number of people who have their Lugnet cookie permanently in
their browser & never sign in at all.)

As for a minimum amount of interactivity, I can probably live with that,
and, indeed, it is necessary to not let some authentication replies slip
through unnoticed. It would still be nice to combine that with some
mechanism that allows to authenticate a whole set of postings at once ...

This is something several people have asked for, and I'm sure something can be
done to facilitate it.

Now, just to make sure we do not just discuss the potentially unfinished
odds and ends, let me try and summarize the situation as it is right now,
after the "lost messages" problem seems to be fixed. There are basically
three use cases, and there seems to be some consensus that, ideally, none of
them should require a cross media authentication solution:

- The Web interface
Everybody who uses this seems to be very happy with the solution
Todd worked out, because it is very well integrated, and therefore
almost invisible to legitimate users.

It has no noticable impact on web posters - that does not mean they're all
happy with the solution. Refer to my other posts.

Regards

ROSCO



Message is in Reply To:
  Re: E-mail authentication during posting
 
Hello Ross, hello everybody, (...) Can one of you set me straight: I assume the attacker has no access to my email account. How could he, then, automate an email reply I have to send in order to make my post valid? As for a minimum amount of (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)

15 Messages in This Thread:







Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR