So, it seemed like a great idea to: (a) help get more people using PGP and (b) protect peoples' communication and (c) offer more protection for account holders, plus (d) it was cool, and fun to build. That's why. Any more questions?
-
-
Replying to @AlecMuffett @Pinboard
ps: 1) consider the number of email providers that get popped 2) consider the number of passwords that are reused 3) consider how beneficial it might be to have a private key stashed on a laptop, protecting your account recovery flow 4) wonder why you haven't enabled it already?
1 reply 1 retweet 2 likes -
Replying to @AlecMuffett
The setup process for adding your PGP key to Facebook encourages you to add your mobile phone number, which overall makes your account less secure.
1 reply 0 retweets 2 likes -
Replying to @Pinboard
"HEY, FACEBOOK! I LOST MY PGP KEY AND MY ACCOUNT PASSWORD! CAN YOU HELP?" "Did you set up an alternative form of 2FA? Like SMS or something?" "NO, BECAUSE I AM SECRETLY EDWARD SNOWDEN AND HAVE A THREAT MODEL. OR SOMETHING." "Oops."
4 replies 1 retweet 7 likes -
Replying to @AlecMuffett
Facebook actually has a fallback authentication mechanism that doesn't make you more vulnerable ('Trusted Friends'), but it encourages you to add SMS. Sad!
1 reply 0 retweets 1 like -
Replying to @Pinboard
In case this little role-play is not clear: using PGP to secure your account is not some half-assed thing; if you lose both your PGP key AND ALSO your Facebook password, you are _screwed_; hence the push towards backup 2FA. I am not sure what the minimum spec is at the moment.
1 reply 0 retweets 1 like -
Replying to @AlecMuffett
My point is the backup 2FA it pushes you to use more than negates the security advantage of having this feature in the first place. Additional bonus point: ALL CAPS mockery may not be the most effective way for us to discuss this
1 reply 0 retweets 1 like -
Replying to @Pinboard
"OMG! Edward! Really? Can I have your autograph?" We can leave the discussion of the ease of mounting a SS7 attack against everyday users, versus the likelihood that anyone who -really- might face an SS7 attack not choosing "Trusted Contacts", until morning my time.
3 replies 0 retweets 0 likes -
-
Replying to @Pinboard
Well, I'm not getting paid for this shit, and I'm not invested in fixing _you_, so I'm just in it for the lulz. If you wanna take the "ZOMG SMS IS S)OO INSECURE BECAUSE SS7"-tack, be my guest, but I'll call that "idealist to the point of making users' lives overcomplicated".
2 replies 0 retweets 1 like
The specific SMS threats I worry about for campaigns I work with are a) someone gets access a phone that is configured to show SMS messages on the lock screen, b) social engineering attacks that reassign a phone number.
-
-
-
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.