LinkedIn password database compromised

• Previous message (by thread): LinkedIn password database compromised
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/7/12, Aaron C. de Bruyn <aaron at heyaaron.com> wrote:
>>        A TLS + Client-Side X.509 Certificate  for every user.
> Heck no to X.509.  We'd run into the same issue we have right now--a
> select group of companies charging users to prove their identity.

The PKI infrastructure and  authority validation components are not
required. Even if they were -- anyone  can setup a PKI infrastructure,
 the problem is trust.

Self-signed certificates are just fine for this application.   The
authentication credential stored on the server for the user, can
simply be the public key of the user's certificate, and the
certificate hash.

There's no need for the TLS server to verify the client cert  is
issued by a recognized authority;   although it would be nice for
there to be Free X.509 certificate authorities to issue a signed TLS
cert for E-MAIL address authentication.

This would allow websites to accept user signup without a need to spam
the user with additional  "Click this link here to prove that this is
actually your real e-mail address".

It should ideally be integrated with the web browser.    The user
should be prompted to create their certificate  by their web browser,
and given the option to  self-sign an "Anonymous" certificate;  use a
Free certificate authority,  that will  list and validate their e-mail
address.

Or an alternate CA that will validate their e-mail address and
optionally additional fields, such as a real name.     Only fields
listed on a certificate need to be verified.

If a site doesn't trust the authority to issue the cert, the
connection proceeds,  the site just asks the user to prove  "Yes, that
really is their e-mail address"


> SSH does a good job of avoiding the pitfalls that most of those other
> products have.

SSH is vulnerable to MITM on the first connection to a new host, you
are prompted to save a host key,  but noone really verifies this.
After  you've saved a host key,  if the host has to change keys for
legitimate reasons, such as previous host key compromised,   the SSH
client refuses to connect,  and the user has to manually remove
entries from their known_hosts file.

Username, password  is more user-friendly than the SSH behavior, unfortunately.
Which means username/password would still be used in preference.

> Active Directory has costs associated with it.
Yes

> OpenID requires setting up your own server or using a third party.
Most options that exists require setting up your own server or using a
third party.

> Imaging signing up for a site by putting in your email and pasting
> your public key.

No... that's not  convenient or user-friendly enough.
"Public what?"

There must be a browser integration where the public key is
automatically submitted (with the user's permission).

There are too many users who don't know how to use "copy and paste".

There are too many users not willing to dig into their browser's
settings to lookup their public key.


--
-JH

• Previous message (by thread): LinkedIn password database compromised
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]