LinkedIn password database compromised
Luke S. Crawford
lsc at prgmr.com
Fri Jun 8 23:22:15 UTC 2012
On Wed, Jun 06, 2012 at 07:43:42PM -0700, Aaron C. de Bruyn wrote:
> Why haven't we taken this out of the hands of website operators yet?
> Why can't I use my ssh-agent to sign in to a website just like I do
> for about hundred servers, workstations, and my PCs at home?
>
> One local password used everywhere that can't be compromised through
> website stupidity...
This is the way to go.
The problem here is that x.509 is the only similar thing for browsers,
and x509 requires a ca, which makes the whole process a whole lot more
complext than the 'just give me the public half of the key you
want to use to authenticate to this service' I mean, unless
everyone trusts the same (few) CAs, which has a different set of problems.
I haven't found any way that is as simple and as portable as using
ssh that works in a web browser. I'm considering re-writing my
billing application to be libcurses based or something, and letting
users access that through ssh, too. (It would be silly, but it
might work for me; it goes along with my schtick.) This would
be somewhat suboptimal for things like bandwidth graphs, but eh.
but yeah, if someone wants to pass the hat to get an apache module
and a firefox addon written to do public key authentication over http
using ssh keys, I'd put a couple hundred bucks in the hat.
More information about the NANOG
mailing list