Re: A Letter to the Authors of Web Authentication Libraries

Sat, 09 May 2009 13:42:44 -0700 

On May 9, 2009, at 8:40 AM, Ross Lawley wrote:
Its not *just* noise, its not the first time such conversations have come up and I'm yet to be convinced javascript can provide a solid solution. 


No one ever said it was fool-proof, its an alternative to using SSL.  
I've never heard anyone propose that optionally allowing a more secure  
(than just plaintext) login scheme actually makes things less secure.  
Can you elaborate on how automatically using a slightly more secure  
scheme (when available) actually makes things less secure?



At the end of the day you’re not sending information over a trusted  
channel, that is the issue.



Lots of secure systems use challenge-response to securely send  
information over a non-trusted channel, like say, public-private key  
crypto systems. Are they all insecure?



If you don't want to pay the cost of https, then use someone elses;  
OAuth, OpenID.



OAuth is not for logins, its for something else entirely (client-side  
programs that need access to data, and last I checked it actually uses  
challenge-response like Paul's scheme). OpenID requires a user to have  
an OpenID provider, this system is merely an alternative to a plain- 
text login for a site. OpenID add's a hell of a lot more complexity to  
the server-code than this scheme (way way way way more, it sucks to  
implement), with plenty of new attack vectors. I'm baffled that you'd  
consider it a better option.



Does client side encryption hurt anything here? No. But is there a  
serious threat model that it helps with? No.



It helps prevent those who can watch the line between you and the  
server, because they no longer get to see passwords fly over in clear  
text all day long. Does that help? You betcha. Is it as secure as SSL?  
Nope, this is just an optionally more secure scheme than plain-text  
for clients that support it (which most do).



Paul, on a side-note, I'd be interested in making some helpers that  
allow one to easily setup your system. WebHelpers already has a helper  
in it now that can be used with a Pylons decorator, that drops in a  
unique token into a form to prevent CSRF attacks. I can see a similar  
Pylons decorator, with a WebHelper generator that would make it easy  
to drop in optional use of your system for anyone making a login form.


Cheers,
Ben


Attachment:
smime.p7s

Description: S/MIME cryptographic signature






















					Reply via email to