Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Standard For Website Authentication Proposed: SQRL (Secure QR Login)

Posted by Unknown on from the but-the-nsa-owns-your-phone dept.

fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."

31 of 234 comments (clear)

  1. Smartphone required to browse? by SilentConsole · · Score: 3, Insightful

    I don't think it will be very popular to force user to pull out a smart-phone ( or even HAVE a smart phone ) to use a website.

    1. Re:Smartphone required to browse? by w_dragon · · Score: 4, Insightful

      Or just create a browser plugin that will read a QR and open a new tab to the link. No smartphone required. Of course, that kind of highlights why it's a dumb idea anyway.

    2. Re:Smartphone required to browse? by SilentConsole · · Score: 2

      Reading more fully - there is a suggestion for providing a clickable link as well from a desktop - so, tying identity uniquely to a device is actually the intent here, still not a great user experience.

    3. Re:Smartphone required to browse? by Anonymous Coward · · Score: 2, Insightful

      But their website says:

      It eliminates every problem inherent in traditional login techniques.

      So I guess they're just swapping new problems for the traditional ones ;-)

    4. Re:Smartphone required to browse? by msauve · · Score: 4, Insightful

      "I don't think I've cleared my cookies in five years..."

      You must not binge drink.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Scanning random QR codes by rminsk · · Score: 2

    So you go to a website and it displays a QR code it wants you to scan. Who knows where that QR code could redirect too.

    Also, I go to a website on my smartphone. How do I scan the QR code? With my other smartphone?

    1. Re:Scanning random QR codes by Joining+Yet+Again · · Score: 3, Funny

      Are there people who still carry only one 'phone around? And yet people rely on them so much.....

    2. Re:Scanning random QR codes by Seumas · · Score: 2

      No. That's where the QR code also being a clickable link comes into play.

      This SQRL thing is documented on his site and he has a forum open to critique it and expose flaws in it, so this stuff is all easily accessible to anyone who wants to take a half hour to read it.

  3. Re:this idea is not going to go anywhere. by Joining+Yet+Again · · Score: 2

    Eh, our whole country adopted nonce for nearly four decades.

  4. Soon to be enabled by Teun · · Score: 2

    I assume this will be enabled between Friday October 18, 8 pm to Saturday October 19, 1 am (Eastern Time).

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  5. Re:That's how I say SQL by Seumas · · Score: 2

    I've honestly never heard anyone debate this. It's called My ESS CUE ELL and PostgrESS CUE ELL, because SQL is pronounced as each letter. Yes, people sometimes mispronounced it, but that is due to ignorance. The same way we all used to know people just coming to the web for the first time who thought that URLs were pronounced like they were part of the monarchy.

  6. Wow. by bennomatic · · Score: 3, Funny

    You had me at "QR code".

    --
    The CB App. What's your 20?
  7. Re:Steve Gibson is a... by moteyalpha · · Score: 4, Informative

    I invite everyone to let Google autocomplete that sentence. It's been well-known for a good while that absolutely no-one should pay any attention to him.

    Just for giggles I did test auto complete on that and it gave:
    1. steve gibson is a fake
    2. steve gibson is a moron
    3. steve gibson is a idiot
    Could that be considered the -opinion- of the Google algorithm?
    My opinion about TFS involves squirrels too. But mainly their primary food source ( pronounced 'nuts').

  8. Re:Challenge/response tunneled inside of SSL? by Seumas · · Score: 4, Insightful

    I recently checked out the two podcasts where he went into extensive detail on SQRL and he made it pretty clear that he isn't looking to make money on this concept if it were to take off and that he "doesn't really even have time to do much with it". He presented his idea, documented it, opened up some discussion about it and a forum for people to discuss it in and left it at that. Say what you may about him, but I don't get any sort of "erhmagerd, I'm gonna get rich off this" going on here. I'm sure if clear flaws are demonstrated to him, he'd readily discuss them and admit them when they were uncovered.

  9. Re:Gibson is NSA... by Seumas · · Score: 4, Informative

    Wasn't Gibson one of the first people we heard a reasonable explanation of the NSA tapping from? When we were all blaming Facebook and Google and Facebook and Google were denying direct feeds to the NSA, he asserted that what was probably happening was tapping of the trunk just externally to the private points of these entities, such that they may never have even known it was going on. Then, it turns out, that is pretty much what was happening in many of the cases.

    I don't know a whole lot about the guy, but he sure seems to have an awful lot of anti NSA and pro-privacy stances, as far as I can tell.

  10. Re:That's how I say SQL by Joining+Yet+Again · · Score: 5, Funny

    "MySQL" is pronounced "Why aren't you using PostgreSQL?"

    And "noSQL" is pronounced "no".

  11. No, 2 smartphones required to browse. by Chemisor · · Score: 2

    Actually, two smartphones required to browse. One to navigate to the website, the other to take the picture of the QR code on the first one's screen. Oh, and you'll probably need a third hand to type in the password that is computed on the second phone into the password box displayed on the first phone.

  12. I have a better idea by WaffleMonster · · Score: 4, Insightful

    The endless parade of cheap hacks needs to stop. Anything less than strong bindings between session encryption and authentication is short changing everyone.

    Get browser vendors to apply the TLS-SRP patches sitting in their ticket systems.

  13. Re:What problem? by SScorpio · · Score: 2

    One of the main things it's supposed to address is to allow secure login from a public computer. A computer could have a software or hardware key logger, but since the authentication is handled by the phone you control it doesn't matter.

    It also has a unique ID that's based on a hash of the site you are authenticating with, so accounts at different sites can't be tied together unless you give the site something like an alias or your email address.

    This does raise the problem in that it makes your phone the keys to the kingdom, but having something like this for throw away accounts for posting on a forum wouldn't be bad. It would be like OpenID, I wouldn't use it for something like my banking account which I wouldn't access from a public computer anyways. But it addresses the issue that people generally use one email address and one password to access every site they go to.

  14. Re: Steve Gibson is a... by weedenbc · · Score: 5, Insightful

    Steve has a lot of hate coming from the traditional hacker community, some of it for good reasons. He got started in all this trying to defend himself from some attacks, and definitely made some noob mistakes. In particular, he made the mistake of lumping in penetration testers (white hats) with criminal hackers (black hats). That generated a lot of hate from the pen tester community and many labled him a fraud and never looked back. His biggest offense seems to be that he is not of, and does not participate in, the traditional hacker/pen tester community. I think it is very telling that none of his detractors are actually point out problems in his proposal for SQRL. They are relying entirely on "we all know Steve Gibson is a fraud" arguments.

    --

    "Trying is only the first step towards failure." - Homer
  15. Browsing on a computer that's not your own by tepples · · Score: 2

    As I understand it, it's intended in part for the use case where you browse on a computer that's not your own, such as at a relative's home or a public library. This means you haven't stored a client certificate on this computer. The authenticator app on your smartphone would store its own equivalent of a client certificate.

    1. Re:Browsing on a computer that's not your own by tepples · · Score: 2

      An this is better than a USB security device (hell even a phone app and cable)?

      It works even when USB sockets are full of epoxy, as is apparently true of a lot of public computers, or on devices such as the iPad that don't really have a general-purpose USB host.

      SQRL revocation?

      Apparently the SQRL authenticator app gives each site a different user ID number, and the user can revoke an ID number within the app.

  16. Google already dunnit by tepples · · Score: 2

    Even if Mr. Gibson did seek a patent, Google has prior art.

    1. Re:Google already dunnit by radarskiy · · Score: 3, Interesting

      I am *shocked* by the thought that Steve Gibson would claim something as an innovative and original idea that turns out to be old and tired. Shocked, I tell you! Surely this has never happened before... (http://www.theregister.co.uk/2002/02/25/steve_gibson_invents_broken_syncookies/)

  17. Re:What problem? by dgatwood · · Score: 4, Insightful

    One of the main things it's supposed to address is to allow secure login from a public computer.

    Unfortunately, that entire concept is flawed for at least two blindingly obvious reasons:

    • This does not solve the man-in-the-middle attack where untrusted endpoint devices are concerned, because that problem is a fundamentally unsolvable problem. If you cannot trust both endpoints, no secure connection is possible. This is a fundamental tenet of computer security.

      In particular, if you can't trust the endpoint, you can't trust anything that the endpoint presents to you. Unless this scheme literally requires you to point your phone at the screen and authenticate every single action, there's nothing stopping someone from tweaking the content on its way to the untrusted screen so that the logout button doesn't actually log you out, but instead merely shows a fake logout screen. Then, the person who owns that untrusted computer has access to your account.

      And even if you try to patch around that with a QR code that deauthorizes the computer, there's nothing stopping someone from automatically transferring money to a bank in the Cayman Islands right before it requests that logout code, or whatever. So even in the best case, this does not really add any significant amount of trust to the untrusted device.

    • If your phone can connect to the Internet, why aren't you just using your phone for browsing, and using the computer merely as a larger display and keyboard? By doing this, the login credentials are stored in your phone's keychain, so you aren't typing a password, making that issue moot, and the control disappears when you unplug from the keyboard and screen, making pretty much all other issues almost entirely moot unless you're actually typing or viewing something sensitive.
    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  18. Re:Any better than SSL client certs? by silas_moeckel · · Score: 2

    Lets think a USB hardware token? The private key never leaves the device that has a dell defined api and is built from the ground up for security. But this does not help (nor would the SQRL bits) the compromised box from hijacking the session.

    --
    No sir I dont like it.
  19. MS sequel, My S-Q-L , officially S-Q-L, Chamberlai by raymorris · · Score: 2

    The MySQL team says S-Q-L, and I believe their web page says that's how their name is pronounced. The official SQL standard says it's s-q-l.

    On the other hand, it seems to me that Windows admins tend to say sequel. The primary author of the language, Chamberlain, says sequel.

    Putting all that together, neither is really right or wrong. When talking about Microsoft's rdms to Microsoft-based listeners, sequel will elicit the fewest snickers. In the FOSS community, say My s-q-l. S-Q-L is the standard data manipulation language, sequel is some Microsoft crap, the OSS folks will say.

  20. Re: Steve Gibson is a... by cayenne8 · · Score: 2, Interesting
    I dunno who Steve Gibson is...

    But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.

    I'm trying desperately to not give them any identifiable information on who I am, not more!!

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  21. Re: Steve Gibson is a... by viperidaenz · · Score: 3, Informative

    From TFA:
    1. No cell phone required.
    2. No QR code required.
    3. err, no cell phone required
    4. It's stored encrypted by a local password

  22. Re:That's how I say SQL by theshowmecanuck · · Score: 2

    I'm not a fan of Microsoft, and I hate Windows 8 (like Windows 7). I use Windows 7 and Kubuntu (on virtual box and laptop for programming). I like PostgreSQL over MySQL and Oracle is pretty damned good if you are a rich motherfucker. That said, I think MS SQL Server is perhaps the best product Microsoft makes. It used standards compliant syntax in the mid 90s, supports most if not all SQL standards, works well up to quite large database size, has a ton of good features, well documented, etc. The biggest problem with it is that it only runs on Windows servers... and in my case, it isn't free as in beer. It is a good database system otherwise.

    --
    -- I ignore anonymous replies to my comments and postings.
  23. Re: Steve Gibson is a... by T_Tauri · · Score: 3, Insightful

    Nope, completely independent of your phone number. Each site you visit effectively has its own user identifier, unique to that site, which is generated from a combination of your master key and the website address. Unless you tell the web site some of your details all the site knows is that you are the same person as every other time you visited. Nothing stopping this being completely anonymous as long as the site does not demand personally identifiable info (eg a retail site would need your name, address and payment details or the login is pointless)