Re: [tlug] webmail password protection?

[Josh Glover <jmglov@example.com>]

On 25/01/06, Ian Wells <ijw@example.com> wrote:

> On a more general note, the only way to have trustworthy end-to-end comms is
> to have control of both ends.  For instance, even the USB key jobbies with a
> Linux computer in that use no software on the machine are still susceptible
> to keyboard cable sniffing.  So, Zaurus + wifi + e.g. IPSEC is good, and any
> prevention measure on an untrusted machine is not.

Agreed, but my trusted proxy idea should work as long as it keeps your
webmail password for you. So the password you would be prompted for
would not be your webmail password; it would be a one-time password
that would authenticate you to the proxy, which would then feed the
webmail password to the webmail software for you.

This would at least keep your webmail password secure (unless I am
missing something).

However, any text that gets rendered by the browser (and thus enters
memory at some point)--as well as any text that you input on the
untrusted machine--*cannot* be considered secure. As you say, it could
be keylogged. It could be snagged directly from the machine's memory.
It could even be van Eck phreaked (in theory--in practise, no-one is
going to spend that much money to pwnZ0r your email account).

Cheers,
Josh