this post was submitted on 08 Nov 2023
565 points (89.8% liked)
Technology
59685 readers
3231 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Was surprised at first, then I went to go log in to change my password.
And then it said I was emailed a 2FA code... the code was part of the email header.
Now I'm completely unsurprised this happened.
I'm not sure what you're implying here regarding headers? Email is insecure regardless; even when using SMTP with TLS, it's not like the headers are exposed whereas the body would be encrypted or something.
well with PGP, the header is unencrypted. But even with just smtp, the issue is simpler.
Putting it in the header makes it more accessible.
various emails could have the header "Is this you?", and not all of them will hold a 2fa code, and even if they do, they may time out before you can find it and use it.
But if the email has the header: "Your secure 2fa code is 123456" from "[email protected]"
then unsurprisingly, logging into example.com with the user's email and that 2fa code is going to be a breeze.
Is there a single large company that even sends PGP email?
Sure, IF 1. you already have the user's password, and 2. a new code wouldn't be required/the previous code invalidated when initiating a new login session?
Like, I'm not saying that 2FA codes via email is secure, but you're implying that they are making a security hole via this - which I don't see.
Pgp, the greatest program never used by anyone
I used it. For about 10 minutes. Then I read the help files. Then I searched. Then I used it some more. Then I uninstalled it.
Unless you followed by installing gpg... then you failed. There are tons of uses for it, not necessarily encrypting emails (or more precisely, it kind of sucks at encrypting emails).
Yeah not following the logic. 2FA via email is insecure. Doesn’t matter where in the email. That person is confused about something.
... part of the Subject header in the encrypted body of the message, you mean? What a nothing-burger.
Encrypted what? LinkedIn lets you add a key/cert to send you encrypted emails?