
A digital skeleton key to access any website - signaler
http://docs.higg.so/2015/03/10/a-digital-skeleton-key-for-accessing-any-website-proposal/
======
phantom_oracle
Don't waste your time solving this.

Your "ultimate solution" will just become another on top of the "ultimate
solutions" listed as the services you indicated on your post.

Your idea seems too narrow to address a mass-market.

The tools that exist are already serving niches:

\- Bugmenot - to bypass signups where something important is needed behind the
signup-wall but probably not an account you'd use for amazon.com

\- Quick signups = social login . Most people are content to connect to sites
via Google/Facebook login, which avoids the entire signup process

\- Lastly, don't forget OpenID - it died recently and was an attempt to unify
the login process. Probably exactly the use-case for you.

Truth be told, site-makers have signups because they can and do so because
they want to capture data from users for "important" advertising, user-data-
selling, etc.

So long as users are happy to sacrifice some data for a 'free' service, this
is the model the internet will continue to thrive on and signups will
continue.

If you want to go ahead and try to solve the problem for yourself, it may be
worth it. For the average user though, this is another non-problem in their
quest to use x-social-cool-new-app that requires me to just login via Facebook
to so I can "share" stuff.

Good luck!

~~~
donpdonp
OpenID is still a thing (its hard to kill a protocol). While most OpenID
providers have gone away, indieauth.com will allow you to delegate your domain
name to it.

    
    
      <link rel="openid.server" href="https://indieauth.com/openid" />
      <link rel="openid.delegate" href="http://mynamedomain.com/" />

~~~
lucaspiller
...and you can easily be your own provider. The main issue is that pretty much
nobody supports it now, I haven't seen a 'Login with OpenID' button for a
while.

OpenID has gone the same way as XMPP, a good open and decentralised protocol
lost to proprietary social networks.

~~~
donpdonp
I agree its mostly gone. Here are the sites I can think of that still support
OpenID login:

[https://stackexchange.com/users/login](https://stackexchange.com/users/login)
[https://bitbucket.org/account/signin/](https://bitbucket.org/account/signin/)
[http://openid.yahoo.com/](http://openid.yahoo.com/) still responds,
surprisingly. The wordpress openid plugin is still around.

------
ianlevesque
The #1 reason I prefer mobile apps to web apps is because even those that
require sign in will remember my login permanently. The entire rest of the web
(with rare exceptions) all seems to believe that it's acceptable to require
re-login over and over and over. I've drastically reduced the number of sites
I use just to end the madness, even with 1Password. How is this still not
solved in 2015?

~~~
whoopdedo
How long until someone learns to use replay attack to hijack sessions from a
mobile app?

I'd say about half, probably more, of the web sites I log into are able to
hold the session for an extended period of time. A few are very aggressive
about expiring cookies and often it's because my IP address changes. Those
sites are also ones that deal with frequent spamming or DDoS.

On the other hand, frequently having to login helps me remember my passwords.
I can tell you right now I probably won't get into HN on the first try because
I haven't had to type the password here for over a year.

------
na85
The author's indignation at registration systems that aren't easy to automate
is confusing. I view that as a feature, not a bug.

Why the fuck would any service provider want to make it easy for spammers to
automate mass registrations as the author seems to want?

It's literally the reason CAPTCHA was invented.

~~~
signaler
Please refer to my comment on Dysprosium's post for my answer on this. Also I
may add that it is not a system for spammers, but a system like bugmenot where
we can bypass the often arduous process of registration. I happen to have RSI
(Repetitive Strain Injury) on my wrist and registration forms are the final
boss of the internet so although a system would be nice for myself, I can also
see a huge need for others to use it.

~~~
na85
Building an easily-automated registration system that's "not for spammers" is
like building a back door into an encryption scheme that's "not for foreign
state-sponsored hackers".

~~~
signaler
Automation is a small part of the system and not the main concern. The main
concern is making the experience of surfing the web less harrowing for surfers
and to make it more smooth. There are many walled garden sites arbitrarily
locking away information and that is counter intuitive to what the web is
about, which is free access to information. In the true nature of the web,
there would be mechanisms in place to unlock information, like a web browser
is expected to unlock information. People's use of fake useragents that spoof
a Googlebot to access Quora being a perfect example.

~~~
nitrogen
"Small parts" that are "not the main concern" are often very juicy targets for
attackers.

------
djloche
As a sidenote: the mention of Ireland not having postal codes led me to the
wiki article:
[http://en.wikipedia.org/wiki/Postal_addresses_in_the_Republi...](http://en.wikipedia.org/wiki/Postal_addresses_in_the_Republic_of_Ireland)
which goes into detail:

>"The introduction of a National Postcode System, known as "Eircode", is
planned to take place in Summer 2015."

>"An Post did not introduce automated sorting machines until the 1990s. By
then, the optical character recognition (OCR) systems were advanced enough to
read whole addresses, as opposed to just postcodes, thereby allowing An Post
to skip a generation. Consequently, mail to addresses in the rest of the state
does not require any digits after the address."

~~~
TazeTSchnitzel
I find it really interesting that Eircode gives each building its own code!
That's better than the UK's system.

~~~
handelaar
And to look them up on your web site will only cost €4000 per year per site.
Bargain!

------
meesterdude
I don't at all agree with the authors post.

Yes, sites have different flows for signup. This is not a "problem". Different
sites want different things, or have different needs. Some with have Captcha,
others will require CC, or what have you.

Yes, there are some sites that require login and are just being asshats for
it. And for those, bugmenot is good.

But for others, there is a need for signup. And that shouldn't be swept under
the rug.

I think a better approach could be to push for more usability and
accessibility of the forms. Because thats something I am all for.

------
walterbell
Is the author proposing an open-source tool for registration
automation/scraping, which would compete with LastPass, 1Password, etc? Or
open-source infrastructure that could be used by all such services?

~~~
signaler
Hey. Author here. Yes the tool would be open source and automate the process
of registration. Alongside registration, it will borrow ideas from bugmenot
where logins are ranked according to whether they work or not. The only
difference being that machine learning and other means are used to rank
instead of an upvote system which is mostly unreliable.

Keep in mind, there are inherent problems like T.O.S breaching so the tool
would have to deal with them the right way, and through the right channels.
Perhaps a standard could be implemented and sites could 'opt in' to having the
skeleton key used on their site. So yeah - like open source infrastructure
too.

~~~
icebraining
Would the proposed system use shared accounts, or automated new account
registration for the user?

If the former, I think the opt-in is a dead end. If the websites thought that
was good for them, they'd enable anonymous use, and it even might be illegal
for them to cooperate (e.g. they would be breaking COPPA by offering a way for
under-13 to use the site without following the proper steps).

~~~
signaler
It would use both shared accounts, and auto registration, which depend on how
complex the registration system is and what requirements it has. For example,
on sites which have lots of traffic it is preferable to have a swarm of newly
registered accounts arriving all the time because of unreliable users of the
account deleting it, changing the password etc. On less traffic'd sites it
would be preferable to have a few small accounts. I've observed this on
bugmenot...

------
mirimir
This seems like a solution for a problem that mostly doesn't exist anymore. I
rarely encounter sites that require registration merely for reading. Many
newspaper sites used to do that, but now they're mostly open, or paywalled.

On sites where I post or buy stuff, why would I want shared accounts? Maybe I
can see it for software support sites. But even there, account reputation can
be important.

~~~
signaler
I thought of that too, and it would not be preferable to have shared logins,
or an automated system in place for registering on e-commerce sites, or sites
where money is moving in them. One could argue that a large portion of
websites have money moving through them in one form or another, but I don't
have the numbers / stats for that. This would be more for general purpose
sites that have wall-gardened information, and also for sites that have
arbitrary registration forms which exist for all the reasons (or lack of
reasons) I outlined in my post.

~~~
mirimir
Fair enough. Maybe some examples would help me understand.

I do get that registration can be a pain. But what I'd want wouldn't be a
skeleton key, but rather a personal master key. Logins using Facebook and
Google have become common.

But, being a privacy geek, I don't have accounts. And I definitely don't do
cellphone authentication, because that is nontrivial to anonymize. However, I
would want two-factor authentication. That's the tough problem, I think.

------
Dysprosium
Aren't most website storing long-term cookies when the user check the
"remember me" function? Also, I think that the most difficult part of an
automatic signup system would be captchas.

~~~
signaler
This is something I have thought about, but I've observed a great many
websites that don't use a captcha because of whatever reason. All that's
needed here is to bulk-solve captchas as they are needed. Not necessarily in a
nefarious manner, but simply to isolate/silo the captcha solving process away
to another system. There could a separate H.I.T (Human Intelligence Task)
system similar to Amazon's Mechanical Turk program where the 'hard problem' of
captchas scales down to a more manageable problem.

Depending on the size and scope of the skeleton key system, there could even
be (very willing) people ready to solve them in exchange for a small fee.
There's a startup if I saw one. Users of the skeleton key system could go
premium if they want to bypass captcha systems and a portion of the money goes
to the captcha-solver. Probably not a new idea, as I've seen many such
nefarious systems in place for spam, except this would be legitimized!

~~~
meesterdude
you want to bulk solve captcha's, in a non nefarious manner? but do you
realize that bulk solving is nefarious? captcha is to prove you are human, not
a bot or script.

~~~
signaler
Except for the fact that humans __are __solving them, only getting paid for
solving them and rendering said captchas effectively redundant. The key term
here is _isolation_ , where rather than captchas serving to hurt flow states,
they are isolated away and offloaded more comfortably to the solvers who are
happy to solve them in return for a reasonable fee. Google's new system is a
bit more robust however and uses fingerprinting. One could argue that
fingerprinting is more nefarious than letting people have a small income from
captcha solving. On the subject of Google's fingerprinting
[http://blog.higg.so/2015/02/24/googles-new-captcha-
security-...](http://blog.higg.so/2015/02/24/googles-new-captcha-security-
login-raises-no-concerns/)

~~~
meesterdude
you think the fact that humans solving them in an automated fashion, instead
of a computer doing it, is what makes all the difference? Rendering the
capthas redundant is the problem.

Maybe you just need an app that signs you up for sites.

