Re: [tlug] webmail password protection?

[Edward Middleton <edward@example.com>]

Josh Glover wrote:
> On 25/01/06, Ian Wells <ijw@example.com> wrote:
>   
>> On a more general note, the only way to have trustworthy end-to-end comms is
>> to have control of both ends.  For instance, even the USB key jobbies with a
>> Linux computer in that use no software on the machine are still susceptible
>> to keyboard cable sniffing.  So, Zaurus + wifi + e.g. IPSEC is good, and any
>> prevention measure on an untrusted machine is not.
>>     
> Agreed, but my trusted proxy idea should work as long as it keeps your
> webmail password for you. So the password you would be prompted for
> would not be your webmail password; it would be a one-time password
> that would authenticate you to the proxy, which would then feed the
> webmail password to the webmail software for you.
>
> This would at least keep your webmail password secure (unless I am
> missing something).
>   
If the thief created a program/browser plugin that intercepted network
requests with password fields they could simply give you an error
message and login using your proxy and one time password.  Obviously you
could change it but they have already had the opportunity to access you
email.

Edward