you are viewing a single comment's thread.

view the rest of the comments →

[–]magnora7[S] 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 1 fun -  (3 children)

If they can post from my account, we have much bigger problems than the canary

[–]elephant-movement-2 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

How many authentication bypass vulnerabilities in web applications were discovered in the past 10 years? It's no substitute for an air gapped computer used to cryptographically sign warrant canaries with GPG.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

How many authentication bypass vulnerabilities in web applications were discovered in the past 10 years?

How would that make someone NOT post a canary over a 2 month period? If I was completely locked out of my own account for 2 months then that would mean we've completely lost control of the whole website anyway, so the signature would be redundant.

[–]danuker 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

A GPG-signed canary would allow you to publish authenticated messages irrespective of the security status of the website.

The only attackers that can fake a valid signature from a consistent key are the ones that have access to the computer used to sign.