8 Jul
2012
8 Jul
'12
3:45 p.m.
On Saturday 07 Jul 2012 14:05:37 Andy Smith wrote:
Suggestions revolving around the customer identifying
themselves
using public key crypto (PGP keys, SSH keys) are fine but do bear in
mind that most customers have not presented either a PGP nor SSH key
to me, and that would have to be done before it was actually needed.
I could require that an SSH and/or PGP key be uploaded to the panel
before the panel allows you to disable email password resets, though
there would still need to be a plan in place for the inevitable case
where the customer claims to no longer have access to any of the
keys they have uploaded.
I think this is the best suggestion. Require a GPG key off everyone.
If, the VPS owner has chosen to disable password reset (which for a security
sensitive site, they almost certainly should -- emails aren't secure), then
it is their duty to supply a public-key method of verifying their identity.
If they haven't done that then I don't think it's unreasonable for you to
require any level of:
- Birth certificate
- Utility bill
- Passport
- Freshly made photo of them holding today's paper with a secret phrase of
your choice written on it.
- An unlocking payment from the same source as the original VPS purchase
In short: paranoia. Disabling password reset implies a level of security
that should be maintained. It's saying "I take full responsibility for the
password to this VPS, and if I lose it, I accept that I may never get access
again".
The alternative is that social engineering will get an attacker access; and
that's often considerably easier brute forcing problem than a password.
Andy
--
Dr Andy Parkins
andyparkins(a)gmail.com