![]() So, but, I mean, it's just like the right way to do it. I mean, yeah, a lot of details, which is why it's taken us a few years to get it all nailed down, but it's just there now. So it makes up a random bit of noise, sends it off, and says "sign this in order to prove you have the matching private key." That's all there is to it. ![]() And it's used then to verify a signature that they return of a nonce that the server sends. It's not of any use at all because all it does is it serves to identify the user because it's a per-user and per-site public key. So they could publish it if they wanted to. So the way SQRL works, the only thing the website has is your public key, and it's only valid for that one domain, for that one site. You're supposed to send me a link that allows me to set a new password, not send me my current one in the clear. It's like, no, that's not how you're supposed to do this. Which is why it's so upsetting for people when, like you say, oh, I forgot my password, and they email it to you. And we make it up, and we give it to a website, and we say, please keep this a secret. I just think it's got such a nice hook to it, which is "SQRL gives websites no secrets to keep." And that's key because that's what's always happening with these information disclosures is that essentially our password is a secret. Steve: Well, I love the slogan that the project has about that. So I'm thinking, hey, you know what, you all should probably talk to Steve. And that sort of approach of being able to use dynamic bits of information was something that was pushed forward by a lot of cryptography experts. PADRE: The funny thing about this is when the whole Equifax disaster first started coming out, SQRL was mentioned quite often as, yeah, you know what, we do need a better way to identify ourselves than some static numbers from a bygone era. Steve Gibson: It will not be an overlord relationship. Steve, of course, is the big brain behind Gibson Research, ShieldsUP!, SpinRite, and our coming non-passworded overlords through SQRL. And of course, in the world of security, there is none more benevolent or more persistent than Steve Gibson. ![]() We're like a kinder, gentler, benevolent advanced persistent threat, but for your brain. Security Now! is next.įATHER ROBERT BALLECER: This is Security Now! with Steve Gibson, Episode 630, recorded September 25th, 2017 for Tuesday, September 26th, 2017: The Great DOM Fuzz-Off. SHOW TEASE: Equifax is the awful gift that keeps on giving the world has stopped trusting the NSA what we thought to be a relatively ham-fisted CCleaner malware attack turns out to be an incredible piece of exploit engineering and your favorite browser just got fuzzed. ![]() Quarter size (16 kbps) mp3 audio file URL: High quality (64 kbps) mp3 audio file URL: Description: This week, Father Robert and I follow more Equifax breach fallout, look at encryption standards blowback from the Edward Snowden revelations, examine more worrisome news of the CCleaner breach, see that ISPs may be deliberately infecting their own customers, warn that turning off iOS radios doesn't, look at the first news of the FTC's suit against D-Link's poor security, examine a forthcoming Broadcom GPS chip features, warn of the hidden dangers of high-density barcodes, discuss Adobe's disclosure of their own private key, close the loop with our listeners, and examine the results of DOM fuzzing at Google's Project Zero.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |