Skip to main content

Heartbleed, Two-factor authentication and cascading failure

(0 comments)

For the record, we use java for certificates, not openssl, so the WiKIDAdmin server interface (which should not be Internet-facing anyway) is not vulnerable to Heartbleed.

The software tokens use asymmetric encryption and do not use SSL at all.   Early on we made a decision to not rely on the encryption provided by the carriers for our tokens.  Instead we use RSA 2048-bit encryption or the  equivalent in Ntru for more control. Obviously, we too could be subject to an attack on some subsystem we rely on, such as a weak RNG in an OS, but we try real hard to avoid that.

Why? Because picture this scenario:  You use SMS for two-factor authentication.  Your system is reliant on the security of theirs.  You already know they have no password strength requirements.  Do you know if they were/are vulnerable to Heartbleed?  I don't mean to play the FUD card, rather I want focus on smart design choices.  There's nothing you can do to make a big wireless carrier risk increase their security, but you can donate to the OpenSSL Foundation.  There will be vulnerabilities always, can you deal with them if they matter to you?  Try to design that in.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom