Securing the Web without site-specific passwords
•
1 like•1,149 views
Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better. We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web. The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
Report
Share
Securing the Web without site-specific passwords
- 1. François Marier – @fmarier Securing the Web without site-specific passwords
- 2. François Marier – @fmarier F**k all of these passwords, we can do better than this!
- 13. problem #1: passwords are hard to secure
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 19. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 20. passwords are hard to secure they are a liability
- 21. ALTER TABLE user DROP COLUMN password;
- 22. problem #2: passwords are hard to remember
- 25. pick an easy password
- 26. pick an easy password use it everywhere
- 27. negative externality: sites that don't care about security impose a cost on more important sites
- 28. passwords are hard to remember they need to be reset
- 35. decentralised
- 39. privacy®
- 40. existing login systems are not good enough
- 41. ideal web-wide identity system
- 45. what if it were a standard part of the web browser?
- 47. how does it work?
- 50. getting a proof of email ownership
- 51. authenticate?
- 54. you have a signed statement from your provider that you own your email address
- 56. logging into a 3rd party site
- 57. Valid for: 2 minutes wikipedia.org assertion
- 58. Valid for: 2 minutes wikipedia.org check audience assertion
- 59. Valid for: 2 minutes wikipedia.org check audience check expiry assertion
- 60. Valid for: 2 minutes wikipedia.org check audience check expiry check signature assertion
- 61. assertion Valid for: 2 minutes wikipedia.org public key
- 62. assertion Valid for: 2 minutes wikipedia.org
- 65. Persona is already a decentralised system
- 66. SMS with PIN codes
- 67. SMS with PIN codes Jabber / XMPP
- 68. SMS with PIN codes Jabber / XMPP Yubikeys
- 69. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
- 70. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
- 71. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
- 72. decentralisation is the answer, but it's not a product adoption strategy
- 73. we can't wait for all domains to adopt Persona
- 74. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
- 76. Persona already works with all email domains
- 82. Persona supports all modern browsers >= 8
- 83. Persona is decentralised, simple and cross-browser
- 84. it's simple for users, but is it also simple for developers?
- 87. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 88. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 89. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 90. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 91. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 97. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 99. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 100. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']);
- 101. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
- 102. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
- 103. { status: “failed”, reason: “assertion has expired” }
- 104. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
- 108. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 110. 1. load javascript library
- 111. 1. load javascript library 2. setup login & logout callbacks
- 112. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
- 113. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 114. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
- 115. you can add support for Persona in four easy steps
- 116. one simple request
- 118. building a new site: default to Persona
- 119. working on an existing site: add support for Persona
- 120. before
- 121. after
- 124. ALTER TABLE user DROP COLUMN password;
- 125. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 126. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 127. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 128. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 129. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 130. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 131. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 132. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 133. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 134. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 135. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: