I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)

656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0s | source

Show context

fire ◴[27 Jan 22 19:32 UTC] No.30105124[source]▶

I wonder if the recommendation for context-aware auth also includes broader adoption of Impossible Travel style checks?

For context, Impossible Travel is typically defined as an absolute minimum travel time between two points based on the geographical distance between them, with the points themselves being derived from event-associated IPs via geolocation

The idea is that if a pair of events breaches that minimum travel time by some threshold, it's a sign of credential compromise; It's effective for mitigating active session theft, for example, as any out of region access would violate the aforementioned minimum travel time between locations and produce a detectable anomaly

replies(4): >>30106578 #>>30108423 #>>30112335 #>>30119909 #

judge2020 ◴[27 Jan 22 20:58 UTC] No.30106578[source]▶

>>30105124 #

Is this practical? I would imagine with how peering can get better/worse in an instant (and continuously change as different routers pick up new routes) you can't use ping to measure this, and geoip databases don't seem like a source you could trust, especially with CGNAT throwing you onto some generic IP with a geoIP that everyone else in a 200 mile radius also gets.

replies(3): >>30107662 #>>30108392 #>>30112128 #

1. nybble41 ◴[27 Jan 22 23:11 UTC] No.30108392[source]▶

>>30106578 #

Any kind of tunnel or VPN would also mess with the minimum travel time. This seems like a good way to cause more problems for regular people just trying to log in from slightly unusual network configurations than for any hypothetical man-in-the-middle.

↑