Hacker News new | ask | show | jobs
by akskos 2655 days ago
I once lost my protonmail password and was able to get my account back by providing only my browser information, display name, rough timestamps of my requests to their servers and that "i preserved the last session for quite long time". Not sure how secure that was :d Of course I didn't get back any of the emails since they were encrypted with the previous password but still if that is their normal protocol, someone with my browser information and name could just mitm me recording the timestamps of requests to protonmail's server and request a password reset.
1 comments
gruez 2655 days ago
>someone with my browser information and name could just mitm me recording the timestamps of requests to protonmail's server and request a password reset.

If they can MITM you, why not steal the password directly, or serve malicious js to get your password?

link
uponcoffee 2655 days ago
Because https mitigates their attack vectors as a mitm. They can't steal the password since it's not sent in plaintext, and for similar reasons can't deliver/inject malicious Javascript. They could collect timestamps though and scrape header information from http connections to other sites.
link
StreamBright 2655 days ago
Not really. It just requires HTTPS mitm. It is harder to have a CA that can create a cert that looks like it was issued by the original website you are trying to achieve but this is standard practice in gov agencies to mitm HTTPS communication. The mitigation of these sort of attacks is called certificate pinning.

https://security.stackexchange.com/questions/29988/what-is-c...

link
uponcoffee 2654 days ago
That's a fair point. My reply was more in the context of the root comment - and with an average attacker in mind - where they were describing eavesdropping as opposed an attack carried out by a sophisticated actor.

My point was that MITMing HTTPS and HSTS isn't really necessary to carry out an attack as described by the root comment.

You only need to be in position to eavesdrop and/or MITM http connections to scrape together the necessary information; a much lower bar.

link
StreamBright 2654 days ago
True, I guess I was just nitpicking. :)
link
gruez 2655 days ago
What you're describing is eavesdropping, not MITM
link
akskos 2655 days ago
In that case I meant eavesdropping
link