Timeline for Do we need to logout of webapps?
Current License: CC BY-SA 3.0
14 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 13, 2013 at 15:58 | review | Suggested edits | |||
| Dec 13, 2013 at 16:07 | |||||
| Oct 15, 2013 at 4:57 | comment | added | LateralFractal | @drjimbob In practice the best solution would a phone with the ability co-opt other resources as applicable (larger monitor, keyboard, fixed ethernet, etc). As it stands consumer mobiles (post-Blackberry) are much less secure than any desktop - including headless ones. But I fear we've drifted off topic. We could use Chat for further elaboration. | |
| Oct 15, 2013 at 4:48 | comment | added | dr jimbob | @LateralFractal - It doesn't use a keyboard that may not be your own? Ever since we've entered the age of pocket sized mobile devices, I can't recall ever needing to use public/untrusted computers to do things like check my email (or worse bank account) or login to a server. And I'm not even particularly paranoid. | |
| Oct 15, 2013 at 4:38 | comment | added | LateralFractal | Or put another way, the perfect is the enemy of the good. | |
| Oct 15, 2013 at 4:37 | comment | added | LateralFractal | @drjimbob There are degrees of trust, so if hardware is also untrusted then you are of course limited to whatever personal computer you can bring with you. However laptops are quite large and mobile phones are radio beacons, so an computing stick the size of a KitKat is tempting. The purpose of headless-computers is to provide a wider range of protected content than the 256-bit seed on an OTP dongle, while borrowing host resources. While I'm not a shill for what is probably vaporware - depending on how its plugged in, the only host resources should be a HDCP-HDMI monitor and its power supply. | |
| Oct 15, 2013 at 3:55 | comment | added | dr jimbob | @LateralFractal - Hardware keyloggers. (Sure with 2-factor authentication you potentially could be safe in this situation - if your memorized passwords are completely useless in the hands of an adversary -- but really even in that case, why not login from your second factor device). | |
| Oct 14, 2013 at 23:50 | comment | added | LateralFractal | @drjimbob If USB computers like Cotton Candy aren't vaporware, then you can safely use an untrusted host computer in that fashion. | |
| Oct 14, 2013 at 19:02 | comment | added | dr jimbob | If you actually care about the service (or compromising the service could lead to attacks that compromise services you care about -- e.g., use your email account to get into your bank account via a password reset), you should never use the service on a public untrusted computer or on public wifi (Well, technically, public wifi is fine if its https for the entire connection and neither your machine nor the CA has been compromised). | |
| Oct 14, 2013 at 15:29 | history | edited | Adi | CC BY-SA 3.0 | added 79 characters in body |
| Oct 14, 2013 at 14:56 | comment | added | Adi | @ŁukaszL. Some services have timeouts, other services don't. Some services have IP restrictions, others don't. | |
| Oct 14, 2013 at 14:22 | comment | added | user9850 | This means, if my laptop gets stolen, the credentials should be automatically invalidated, because the IP will change? | |
| Oct 14, 2013 at 12:40 | comment | added | Rohan | I'd like to add that XSS can be utilized to perform request forgery, in which case the timeout on the cookie is irrelevant. | |
| Oct 14, 2013 at 10:57 | comment | added | Angelo.Hannes | So the threats are the same, while I am logged in and logging out does only shorten the time frame? | |
| Oct 14, 2013 at 7:59 | history | answered | Adi | CC BY-SA 3.0 |