[LINK] Millions of LinkedIn passwords leaked online
Fernando Cassia
fcassia at gmail.com
Wed Jun 13 15:05:33 AEST 2012
On Wed, Jun 13, 2012 at 1:52 AM, Ben Elliston <bje at air.net.au> wrote:
> That leak check site. How do you know it's not malicious?
>
Because:
1. It's hosted by a software firm. Not an anonymous individual.
2. It was mentioned on Twitter by IT writer Esther Schindler, whom I know
since the 1990s, and she added that its javascript source code (which
anyone can view using the web browser' s "view source") was "audited" and
"apparently safe".
Of course, that means I rely on my trust of #1 and #2. And of course, too,
that also means nobody can know what the site does with the encrypted hash
after you submit it (besides comparing to the leaked database and letting
you know the result).
> Passwords alone are of little use without the e-mail address or
> > log-in user name that goes along with it.
>
> HTTP requests of mine to that site would come from my static IP.
> Surely you're not suggesting the web is anonymous? Now, if you want
> to do it via Tor, that makes much more sense!
>
You' re right of the danger to people using fixed IPs and where that fixed
IP is used by a single individual, of course.
I was thinking about the risk for most residential broadband users on
dynamic IP addresses.
FC
More information about the Link
mailing list