Begin forwarded message:
From: "Ed Gerck, Ph.D." <egerck@nma.com>
Date: December 18, 2009 5:09:54 PM EST
To: dave@farber.net
Cc: ip <ip@v2.listbox.com>
Subject: Re: [IP] more on Confirmed: Twitter DNS diversion used Twitter login credentials
[Dave: Greetings! For IP if you wish]It is interesting to consider that apparently a singleusername/password pair was able to take Twitter's entire Web siteeffectively offline globally.
Twitter has used a weak password before (google: Another Security Tip For Twitter: Don’t Use "Password" As Your Server Password), so this may be just the same.
Yes, the problem is pervasive with username/password authentication, but why don't people use certificate-based access authentication?
In search for feedback on solutions, I'd like to invite IP'ers to take five minutes and go over these and other frequently asked questions in the paper, and leave comments, at www.email-security.net/papers/takefive.htm
Cheers,
Ed Gerck
www.gerck.com