Slashdot Mirror
New Standard For Website Authentication Proposed: SQRL (Secure QR Login)
fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
So, basically... challenge/response tunneled inside of SSL, but with a QR code? Quick, get the patent office on the phone.
No doubt...that's connecting online identities to tracable mobile phones that can be monitored by satellite in real-time, along with information requests from providers.
Don't buy it.
I don't think it will be very popular to force user to pull out a smart-phone ( or even HAVE a smart phone ) to use a website.
So you go to a website and it displays a QR code it wants you to scan. Who knows where that QR code could redirect too.
Also, I go to a website on my smartphone. How do I scan the QR code? With my other smartphone?
Eh, our whole country adopted nonce for nearly four decades.
Programmers argue whether the right way to say SQL is S Q L or sequel. A business analyst told me her way, and I thought it fit best: squirrel.
Good summary: http://allthatiswrong.wordpress.com/2009/10/11/steve-gibson-is-a-fraud/
There are so many to choose from.
In this case, the proposer seems to be under the impression that a desktop, laptop, or tablet is more likely to be compromised than a smartphone.
I am officially gone from
Isn't this exactly what happens during SSL client certificate authentication? Modulo routing the response through a smartphone, that is.
I assume this will be enabled between Friday October 18, 8 pm to Saturday October 19, 1 am (Eastern Time).
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
You had me at "QR code".
The CB App. What's your 20?
If you want secure / two-factor today then you'll use Google Authenticator - which is what all bitcoin exchanges use. It's the standard. We don't need a new one. And it's open, so you don't need a smartphone, you can use a PC version like JAuth. This QR code thing is less smart as it would need you to actually have a smartphone - and that's a very dumb idea. The Google Authenticator standard does not, but you should use a another device (notebook computer, tablet, phone, whatever) for it since that's more secure. Anyway, this story is a yawn but that and censorship is what I've come to expect from Slashdot these days.
9/11: Never forget it was a false-flag operation
I invite everyone to let Google autocomplete that sentence. It's been well-known for a good while that absolutely no-one should pay any attention to him.
Just for giggles I did test auto complete on that and it gave:
1. steve gibson is a fake
2. steve gibson is a moron
3. steve gibson is a idiot
Could that be considered the -opinion- of the Google algorithm?
My opinion about TFS involves squirrels too. But mainly their primary food source ( pronounced 'nuts').
...as I read the acronym that the QR in it had nothing to do with QR codes. Oh well.
My understanding is that, among other things, the intention is to address man-in-the-middle compromises, but I'm not certain how that is actually guaranteed here. (Then again, I am not even remotely a security expert).
and I'm sure NSA is forcing them to implement a backdoor or else the NSA will shut them down.
They already exist and are supported, doing pretty much the same thing on a secondary device does little to improve things.
No sir I dont like it.
Actually, two smartphones required to browse. One to navigate to the website, the other to take the picture of the QR code on the first one's screen. Oh, and you'll probably need a third hand to type in the password that is computed on the second phone into the password box displayed on the first phone.
The endless parade of cheap hacks needs to stop. Anything less than strong bindings between session encryption and authentication is short changing everyone.
Get browser vendors to apply the TLS-SRP patches sitting in their ticket systems.
> I laugh at anyone who trusts Google with their data, or authentication.
Yes, I know Google is pure evil. Google Auth is based on an open standard & it is open source. As I wrote in parent post: This means that there is a whole range of implementations available. I use the Google Auth standard for auth at various Bitcoin exchanges but I do not use any Google software to do it, I use other implementations. You can use Google Auth without trusting Google with jack shit. (and yeah, I know they are evil, I've removed all the Google spyware / crapware from my phone, I don't have their appstore, etc)
9/11: Never forget it was a false-flag operation
One of the main things it's supposed to address is to allow secure login from a public computer. A computer could have a software or hardware key logger, but since the authentication is handled by the phone you control it doesn't matter.
It also has a unique ID that's based on a hash of the site you are authenticating with, so accounts at different sites can't be tied together unless you give the site something like an alias or your email address.
This does raise the problem in that it makes your phone the keys to the kingdom, but having something like this for throw away accounts for posting on a forum wouldn't be bad. It would be like OpenID, I wouldn't use it for something like my banking account which I wouldn't access from a public computer anyways. But it addresses the issue that people generally use one email address and one password to access every site they go to.
Steve has a lot of hate coming from the traditional hacker community, some of it for good reasons. He got started in all this trying to defend himself from some attacks, and definitely made some noob mistakes. In particular, he made the mistake of lumping in penetration testers (white hats) with criminal hackers (black hats). That generated a lot of hate from the pen tester community and many labled him a fraud and never looked back. His biggest offense seems to be that he is not of, and does not participate in, the traditional hacker/pen tester community. I think it is very telling that none of his detractors are actually point out problems in his proposal for SQRL. They are relying entirely on "we all know Steve Gibson is a fraud" arguments.
"Trying is only the first step towards failure." - Homer
As I understand it, it's intended in part for the use case where you browse on a computer that's not your own, such as at a relative's home or a public library. This means you haven't stored a client certificate on this computer. The authenticator app on your smartphone would store its own equivalent of a client certificate.
Even if Mr. Gibson did seek a patent, Google has prior art.
Try 555-1212.
OTOH, I rarely give my phone #, even if they ask. If they won't take a fictitious one, and don't allow you to skip it, then I just don't go there.
I think we've pushed this "anyone can grow up to be president" thing too far.
...my damn cellphone died, couldn't log in.
Unfortunately, that entire concept is flawed for at least two blindingly obvious reasons:
This does not solve the man-in-the-middle attack where untrusted endpoint devices are concerned, because that problem is a fundamentally unsolvable problem. If you cannot trust both endpoints, no secure connection is possible. This is a fundamental tenet of computer security.
In particular, if you can't trust the endpoint, you can't trust anything that the endpoint presents to you. Unless this scheme literally requires you to point your phone at the screen and authenticate every single action, there's nothing stopping someone from tweaking the content on its way to the untrusted screen so that the logout button doesn't actually log you out, but instead merely shows a fake logout screen. Then, the person who owns that untrusted computer has access to your account.
And even if you try to patch around that with a QR code that deauthorizes the computer, there's nothing stopping someone from automatically transferring money to a bank in the Cayman Islands right before it requests that logout code, or whatever. So even in the best case, this does not really add any significant amount of trust to the untrusted device.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Way to invalidate the concept. Ad hominem attack. Clever.
More than that, this is also vulerable to a MitM relay kind of attack, similar to a phishing page that looks like the original login page. This is made worse in that a smartphone can't automatically verify that the computer is on the correct domain before authorizing the page displaying the authentication page.
This results in a similar situation to your 'untrusted terminal' scenario, where the bad guys have a valid login to your account and can do what they want with that session.
Possibly even let you also use that session so that you don't get suspicious.
If I have nothing to hide, don't search me
The MySQL team says S-Q-L, and I believe their web page says that's how their name is pronounced. The official SQL standard says it's s-q-l.
On the other hand, it seems to me that Windows admins tend to say sequel. The primary author of the language, Chamberlain, says sequel.
Putting all that together, neither is really right or wrong. When talking about Microsoft's rdms to Microsoft-based listeners, sequel will elicit the fewest snickers. In the FOSS community, say My s-q-l. S-Q-L is the standard data manipulation language, sequel is some Microsoft crap, the OSS folks will say.
Yes, people sometimes mispronounced it, but that is due to ignorance
Actually, the ignorance is people that aren't aware that it was originally called SEQUEL and then renamed to SQL. There have been various products over the years on various platforms with the SEQUEL name (80's and early 90's). The pronunciation has been both ways, although as time goes on there are many people like yourself that just aren't aware of the history and other pronunciation and so it continues to fade.
SG is the real deal - he's been around forever, he's been an outsider forever (i.e. since the internet was conceived, and information was free), he knows the limitations of the "security" measures out there and he can call BS on anything in my book - his proposal stands up to scrutiny, despite whoever he's pissed off in the past. Onward the SQRL!
So you need to have your phone present and with a connection to login?
And it's basically just OAuth with an added device dependency?
FINALLY! As a SADO-MASOCHISTIC Web Developer, I've been pining for an authentication schema that is as equally painful to use as it is to implement that provides no real added benefit over what we currently have!
Ohhh Steve Gibson -- you are a fucking genius!
Well then, hover your mouse over the QR code itself and see what web page it points to. It seems like everyone is completely oblivious to the fact that the QR code also doubles as a fucking link, which theoretically you could click to run an out-of-browser SQRL application to replace the one on your phone. You do not, I repeat, do not need a smartphone with camera and a fancy app. On the other hand, authenticating on a different system (phone) with different Internet connection would probably be more safe than doing it all on one machine, unless you are on your own machine and know it is not compromised.
Then dispute it with logic and reason. Using a logical fallacy to attack a claim adds weight to the claim.
The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
Attack method: the attacker presents to the user a fake website, proxying the real QR login image.
The real user, goes through the signature shenanigans, causing the attacker's browser session to be authenticated, when the user types in the password and hits OK.
The attacker leverages a man-in-the-browser attack to execute undesirable sequences of actions for the user to execute, such as sending a payment they didn't intend, etc.... all by presenting fake questions, and persuading the user they need to scan more QR codes.
Also, some of the QR codes could launch malicious URLs that cause the smart phone to be compromised, or cause the digital signatures behind the crypto scheme to be transmitted to the attacker.
But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.
I'm trying desperately to not give them any identifiable information on who I am, not more!!
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
From TFA:
1. No cell phone required.
2. No QR code required.
3. err, no cell phone required
4. It's stored encrypted by a local password
I agree, nothing of value added with these icons. Learned that from Security Now, with Steve Gibson.
...but instead of storing the certificate in a moderately secure environment (the browser) it's stored in the least secure environment available to the user, the mobile phone. Not only does it not have any security against remote exploits, securing it physically is also next to impossible.
Since its a login app and not a browser.... the only thing it can do is display what site it thinks you are trying to authenticate to and then authenticate you to it if you say to continue. And all that does is allow the existing session (on the possibly different system) browser connect without requiring further authentication.
MIM and Phishing attacks might be possible, but no more probable or possible than existing login's. And with this system the MIM or Phisher doesn't gain any additional information about you. Just a unique login that can only be reproduced by you if you visit again.
The primary attraction is that is two-party authentication and not three-party.
It also may be more convenient if widely deployed and there are some friendly user agents. You simply won't have to remember separate login and passwords for all those random small web sites that want you to create an account before you can interact with them (to download a file, leave a comment, verify a mailing address, get documentation, etc etc etc.)
Probably not for use when connecting to those two or three places that actually need really secure and private authentication (PayPal and your Bank and .. hmmm that might be it.)
Will be interesting to see if it goes anywhere.
I don't see a comparison of ip addresses stopping a malicious site from pulling a real QR code and presenting it to the user who then authorizes the session. The fake page would then be logged in as the user and could do whatever it wanted.
This was the first thing I thought of as I was listening to the initial discussion.
Using it solely for unimportant account would make it more secure than using Facebook to log into other sites. At least the phisher would only get access as a single session rather than potentially tricking a user to giving them their Facebook login which they could then do more with.
I also think that the system is overreliant on a person having a smart phone. I often go places without one and am seriously considering getting a dumb phone for private use (weekends and evenings). This system would not work for me or the millions of other people that do not want or do not have one. If a system relies on a phone, how is this better than current systems that send me a OTP on any mobile using basic SMS. It is more complex but not more reliable as the weak link is regarding who has your phone.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
It's a logical fallacy to claim that using a logical fallacy to attack a claim adds weight to the claim. Also, ad hominems like other fallacies can be good arguments -- just not deductively valid in a formal sense. If someone spews 99% nonsense, it's a waste of valuable time to invest hours into providing deductively that their latest spew is also nonsense.
This space intentionally left blank
I used the wrong word, meant claimant. It is not valid. I don't care who or where the claim comes from, it should be disputed in logic and reason.
I guess you didn't read the spec, no identifiable information needs to be sent.
- Raynet --> .
Also it doesn't even require QR codes, you just need a link on the page with sqrl:// instead of http:/// to launch the authentication app.
- Raynet --> .
Nope, completely independent of your phone number. Each site you visit effectively has its own user identifier, unique to that site, which is generated from a combination of your master key and the website address. Unless you tell the web site some of your details all the site knows is that you are the same person as every other time you visited. Nothing stopping this being completely anonymous as long as the site does not demand personally identifiable info (eg a retail site would need your name, address and payment details or the login is pointless)
because google auto complete is a good way to find out actual facts.....
how about just coming up with a reasonable rebuttal to his proposal instead of a "first" flame?
i couldn't give a flying monkeys what people think of him, he is very over excitable but slamming an idea because of some psychotic hatred you seem to have about a guy you have never met and has done nothing but propose a potentially useful idea is a bit ...well... childish
A few days before I first heard of SQRL (a few weeks ago) I came up with a very similar proposal, which I published on my blog http://ddevnet.net/posts/anonymous-authentication-with-pk.html
SQRL works around the biggest hassle with my proposal which is linking the browser and the certificate to a session. The QR code idea really streamlines the workflow. My proposal could probably adopt this idea. Where our proposals really differ is that I believe that keeping your keystore anonymous is important. With SQRL they know your keystore location (and can directly attack it, or steal it, or whatever) because of the way it uses the keystore in an out-of-band manner. I also think that when the keystore is identified this is likely to also reveal some clues as to your identity, which sucks balls.
I also think that the keys could/should be used for encrypting messages/notifications that can be published publicly but only read by the holder of the private key. This avoids email addresses which may leak your identity.
I think there's another even more obvious reason why it's a dumb idea - namely that it confuses data with the presentation of that data. QR codes are just data. You could transmit that data as a hex string, as a base-64 string, or even as raw bytes, it's just data. The fact that he's even named the protocol after what is just a completely arbitrary way of encoding data implies that he's way too obsessed about the irrelevant thing.
Different, but similar, anecdote: We had a course on the telecoms network infrastructure once at a job way back. Right at the start, the instructor asked us "what kinds of things do you think you might want to transmit over a network?". One smartarse immediately said "data". Alas the dozy idiot (instructor) then kept pressing us for examples of "data". I think I followed up with "arbitrary binary data", but he still didn't get the hint. Data's just data, stop trying to wrap it up and pretend it's something else.
Also FatPhil on SoylentNews, id 863
4.. noob.
Posting a picture to a xkcd joke without the alt text (nor proper link) is inexcusable.
Nobody said that this is a perfect system. Only that it is a better system. Do you refuse to lock your car door because anyone could just break the window. Security isn't about absolutes. It is about increasingly making it more difficult for an attacker to compromise you.
This system is simple enough that it could get a mass market uptake. That would vastly increase the security for a large number of people. For simple sites like Slashdot it would eliminate identifiable information stored in their database. As an example of the increased security, NeoGaf a popular gaming site, right now is forcing a password reset due to their system being compromised. If they had been using SQRL then that would be unnecessary.
This also provides built in onetime password protection. Compared to the current username/password security method this is far and away better, and will be relatively easy to set up.
As Gibson has, THEN, they can talk (as peers, not bullshitters).
* Consider the source...
(I've hung around & maintained ongoing debates + conversations with the "security community" & imo AND experience? MOST aren't anywhere NEAR Gibson in skillset OR more importantly, accomplishments... are there any that do? Of course - then again, you don't see many of THAT kind giving him shit either!)
APK
P.S.=> World's FULL of "talk a lot but did zero" b.s. artists who see fit to 'cut down others' (who've done far more of good note than they have), but haven't done squat themselves... period! I don't know about the rest of you, but I don't pay much heed to that type (unless they debate an argument in the arena of security with FACTS - not jealousy driven prejudices)
... apk
So, how do I snap the QR code - if I am logging into the website - on my phone...?
Ideally, sure.
In a world where the ravages of entropy are bringing you ever closer to the end of your finite lifespan, you just end up pissing away a whole lot of time.
Owns a smartphone, so SQRL is completely useless!
Michael
http://s1.sfgame.us/index.php?rec=58163
It may be used alongside of traditional username/password to ease adoption.
It *should* be used alongside traditional username/password
I know it might boggle your mind but not everyone has (or wants) a smart phone
I love my smart phone to bits (sometimes literally) but I know plenty of people who have a cheap ass phone so they can.... make phone calls.
I also have a friend who leaves his smart phone at home when he goes to work, after having his beloved stolen when he turned around to study some blueprints, now he carry's a cheap ass second (or third) hand nokia - hasn't been stolen in a long while.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
The only problem is that Things like OpenID, Google apps login facebook Login do not have a cool sounding login method using a mobile phone a 2 factor authorisation.
Beside that only machine readable QR code, you would need need some thrustworthy cute loggking squirrrel logo. (steve failed to provide one leaving that one to the implementor) .
thinking about it :
Using squirrel? Are you nuts?
Uh, that's a more comprehensive analysis of password strength than I've seen anywhere else.
His "technique" is nothing more than finding a way to make your passwords longer that people can remember. That's the whole point - length matters. Do you have a better way of coming up with a strong password that can be remembered?
If you discount everything a person says, why are you posting here?
I'm not sure what you're getting at. What has one got to do with the other?
So, you can't tell, or can't log in, unless you own a smartphone (tm)? Quite so, mine citizen. Please show me your citizenship documents on your smartphone... you don't have one? Please accompany this fine officer to the station for violating community standards....
mark "fsck smartphones"
How exactly is it a "comprehensive analysis" if it ignores dictionary attack strength?
How is it "comprehensive" if it ignores the fact that an attack can be crafted specifically for this technique?
All it discusses is brute force, which is pointless beyond a few characters.
If you need web hosting, you could do worse than here
Maybe you should read the spec: https://www.grc.com/sqrl/phishing.htm
It says right on the page that an active attack could be mounted if you use a cross device authentication like you'd use in a public computer setting.
The computer you are accessing the site from it at a phishing site that displays an active QR code to log you into the real site.
Your cellphone you authenticate with is accessing the Internet via a cellular data connection so the IP of the computer and cellphone would be different.
The IP check would work if authenticating off a single device like a laptop, but it doesn't solve the public computer access problem that Steve Gibson was touting as solved.
But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.
Why would you do this? SQRL doesn't require you to give your phone number to anyone.
Indeed no. It doesn't.
Idiocy indeed. Learn to read.
He's 57. Ain't a noob. The attacks were like, ten years ago. They're like a bunch of evil ex-girlfriends on Facebook against whom he really needs a restraining order. No one really cares what the "community" thinks, if what you mean by that is the group that has the time and inclination to launch DDOS attacks and spam threads with "Gibson sucks" posts. I don't believe people of that disposition really matter if they're over 15 years old. Nobody even remembers what the hell he did "wrong", and frankly no one outside of that group cares - if anyone is left, as "they" should have been married and worried about male-pattern baldness and being severely overweight by now.
Oh, seriously, get a life.
This is very similar to the Pico concept that Frank Stajano came up with a couple of years ago - though his is rather more complete than Steve Gibson's.
You can see Frank's (entertaining) talk from the 2011 Usenix security conference here:
https://www.usenix.org/conference/usenix-security-11/pico-no-more-passwords
There's a team at Cambridge University implementing this right now, and, like Gibson, Stajano has always pledged that it will be an open and patent-free standard.