Securing the Web without site-specific passwords

725 views

Published on

Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.

We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.

The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
725
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing the Web without site-specific passwords

  1. 1. François Marier – @fmarier Securing the Web without site-specific passwords
  2. 2. François Marier – @fmarier F**k all of these passwords, we can do better than this!
  3. 3. problem #1: passwords are hard to secure
  4. 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  5. 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  6. 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  7. 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  8. 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  9. 9. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  10. 10. passwords are hard to secure they are a liability
  11. 11. ALTER TABLE user DROP COLUMN password;
  12. 12. problem #2: passwords are hard to remember
  13. 13. pick an easy password
  14. 14. pick an easy password use it everywhere
  15. 15. negative externality: sites that don't care about security impose a cost on more important sites
  16. 16. passwords are hard to remember they need to be reset
  17. 17. control email account control all accounts =
  18. 18. existing login solutions
  19. 19. client certificates
  20. 20. decentralised
  21. 21. myid.com/u/francois
  22. 22. privacy®
  23. 23. existing login systems are not good enough
  24. 24. ideal web-wide identity system
  25. 25. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  26. 26. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  27. 27. ● decentralised ● simple cross-browser ideal web-wide identity system
  28. 28. what if it were a standard part of the web browser?
  29. 29. how does it work?
  30. 30. fmarier@gmail.com
  31. 31. fmarier@gmail.com
  32. 32. getting a proof of email ownership
  33. 33. authenticate?
  34. 34. authenticate? public key
  35. 35. authenticate? public key signed public key
  36. 36. you have a signed statement from your provider that you own your email address
  37. 37. logging into a 3rd party site
  38. 38. Valid for: 2 minutes wikipedia.org assertion
  39. 39. Valid for: 2 minutes wikipedia.org check audience assertion
  40. 40. Valid for: 2 minutes wikipedia.org check audience check expiry assertion
  41. 41. Valid for: 2 minutes wikipedia.org check audience check expiry check signature assertion
  42. 42. assertion Valid for: 2 minutes wikipedia.org public key
  43. 43. assertion Valid for: 2 minutes wikipedia.org
  44. 44. assertion session cookie
  45. 45. demo #1: http://www.voo.st/ fmariertest@eyedee.me
  46. 46. Persona is already a decentralised system
  47. 47. SMS with PIN codes
  48. 48. SMS with PIN codes Jabber / XMPP
  49. 49. SMS with PIN codes Jabber / XMPP Yubikeys
  50. 50. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
  51. 51. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
  52. 52. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
  53. 53. decentralisation is the answer, but it's not a product adoption strategy
  54. 54. we can't wait for all domains to adopt Persona
  55. 55. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  56. 56. demo #2: http://sloblog.io/ fmariertest@aol.com
  57. 57. Persona already works with all email domains
  58. 58. identity bridging
  59. 59. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  60. 60. Persona supports all modern browsers >= 8
  61. 61. Persona is decentralised, simple and cross-browser
  62. 62. it's simple for users, but is it also simple for developers?
  63. 63. <script src=”https://login.persona.org/include.js”> </script> </body></html>
  64. 64. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  65. 65. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  66. 66. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  67. 67. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  68. 68. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  69. 69. navigator.id.request()
  70. 70. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  71. 71. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
  72. 72. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  73. 73. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']);
  74. 74. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
  75. 75. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
  76. 76. { status: “failed”, reason: “assertion has expired” }
  77. 77. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
  78. 78. navigator.id.logout()
  79. 79. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  80. 80. 1. load javascript library
  81. 81. 1. load javascript library 2. setup login & logout callbacks
  82. 82. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
  83. 83. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  84. 84. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
  85. 85. you can add support for Persona in four easy steps
  86. 86. one simple request
  87. 87. building a new site: default to Persona
  88. 88. working on an existing site: add support for Persona
  89. 89. before
  90. 90. after
  91. 91. after navigator.id.request()
  92. 92. ALTER TABLE user DROP COLUMN password;
  93. 93. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  94. 94. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  95. 95. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  96. 96. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  97. 97. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  98. 98. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  99. 99. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  100. 100. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  101. 101. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  102. 102. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  103. 103. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×