Re: Recovery of compromised WebID from Jonas Smedegaard on 2019-03-03 (public-webid@w3.org from March 2019)

From: Jonas Smedegaard <jonas@jones.dk>
Date: Sun, 03 Mar 2019 18:50:19 +0100
To: Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>, public-webid@w3.org
Message-ID: <155163541930.19101.2283255405231247971@auryn.jones.dk>

Quoting Sebastian Hellmann (2019-03-03 17:43:27)
> what you write confirms my fears.
> 
> On 03.03.19 10:47, Jonas Smedegaard wrote:
> > Quoting Sebastian Hellmann (2019-03-03 09:41:40)
> >> If I find a way to change your public key in your WebID to match my 
> >> private key, can I log into your accounts with my private key?

[...]

> > This is a WebID: https://dr.jones.dk/me/#me

> I am sure some of [the hosts pointing to same IP number] are on the 
> same server as your WebID and maybe I find a hole in them for 
> accessing your webid  document directly or more subtle add a .htaccess 
> rule .

Ok, so your question is not specific to WebID, but boils down to "if 
security was not secure...?"

Then answer to that is a simple "Yes".

That is the equivalent of making a fake passport or birth certificate.  
No need for bribing authorities or threatening the owner, "just" crack 
systems - we all know from the movies that's piece of cake.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Received on Sunday, 3 March 2019 17:50:51 UTC