
A secure way to store website users "offsite" but still own them. - self
http://autho.me
======
tptacek
With a normal SRP implementation, I'd ask questions like "why aren't you
checking _B_ mod _N_ " (you're using Wu's libs so thankfully you're not
automatically boned on the server) and "why don't you hardcode _N_ and _g_ so
you don't have to check them for safety every time you run the protocol".
That's presumably the kind of feedback you're looking for.

But that's all kind a moot point because you're delivering this over
Javascript. Making sure _g_ doesn't generate a tiny subgroup, or that _N_
isn't (say) 2 is past the point, because how can a client trust any of this?

You're not delivering the Javascript over HTTPS, but that'd be a fig leaf
anyways, because the idea is to embed this in other people's websites. Every
one of those those sites would need to load this script on a page that is (a)
itself HTTPS, (b) with every page component also delivered over HTTPS, (c)
referencing no active content from the site that could have been loaded and
cached previously without HTTPS, (d) absolutely free of cross-site scripting
flaws. Otherwise, the attacker you are considering when using SRP can
trivially snarf users passwords.

Javascript cryptography sucks. SJCL is a very nice library, and it might even
be useful in a setting like Node.js, but it does nothing to make content-
controlled code a safe place to do crypto.

This system is, right now, strictly worse than an HTTPS login prompt that
simply sends a username and password. I don't understand your idea well enough
to say whether it can be better than asymptotically as good as that same HTTPS
login system.

I get it, by the way. The idea is just "make it easier for sites that are
scared by Coda Hale's blog post to implement better - than - Gawker
authentication". But even stipulating that all of this scheme can be made to
work securely (I don't think it can): this is an awful lot of moving parts for
an awfully small value proposition.

~~~
zedshaw
Wow, longer than a single line comment. I'm impressed. :-)

I agree totally on all your points, and this still needs work, as I said.

But that age old boogeyman from the 90's of "javascript cryptography is
flawed" has to go. It works just fine, and most of the complaints people have
you can leverage against any language. Sure, it blows, but the SJCL has really
good solutions to many of the encoding issues. After that it's pretty much
just as lame as most languages.

Also, your attacks are valid on all existing sites, and I'm not claiming it
solves any of those. If an attacker can get to the browser, then you're
screwed always. I am not even trying to claim this solves any attack in the
browser, and in fact I'm saying that _all_ websites are vulnerable no matter
what people use. Even with OpenID I can use evil UI tricks to get your
password.

What this is solving is only the problem of people not wanting to setup their
own auth system and get it right. It doesn't stop a determined evil web site
from abusing it, because no solution would. It doesn't stop an idiot from
using it wrong, because no solution would. It just helps them not store
passwords, and that's it.

~~~
tptacek
I know that serving up ribeyes carved off sacred cows is your schtick and all,
but on this issue you're just wrong. Browser javascript is the most hostile
environment crypto is deployed in today; it's worse even than microcontrollers
that have to use CBC-MAC because SHA1 won't fit in code space. _It doesn't
work._

I'm writing up a document about this now, as luck would have it, but in the
meantime you could try not taking my word for and instead read Nate Lawson,
who is smarter than both of us put together:

[http://rdist.root.org/2010/11/29/final-post-on-javascript-
cr...](http://rdist.root.org/2010/11/29/final-post-on-javascript-
crypto/#comments)

Here's a hint: it's not about "encoding issues". SJCL is nice work, but SJCL
is to a working cryptosystem what mixed oxide U/Pu fuel pellets are to a
working nuclear reactor. Don't be like that boy scout who irradiated his whole
suburb building something in his garage.

~~~
zedshaw
You know what Thomas, you're right I'm being douchey. I'll work on making this
a bit better, and report on what I find.

Thanks for your comments so far.

~~~
tptacek
I had it coming. But for what it's worth: I'm a net admirer of your work. Call
me out for being unfair any time, but don't think I'm throwing darts at a Zed
Shaw picture on my wall.

------
Udo
It's an interesting concept, but I am concerned about the closed-source nature
of the project. OpenID and OAuth have gotten as far as they did because they
use a verifyable mechanism, all parts of which can be re-implemented and
checked at will. Autho.me on the other hand is just asking for the trust of
users and developers. I'm not insinuating that the code can't be trusted, but
there are issues to be aware of such as very sparse documentation and the risk
of investing a lot of work and goodwill in a single, private provider.

~~~
zedshaw
The source I have is just like the Lua that runs the website. Everything else
is standards based and totally open source. As I say in the about page, I'm
using:

<http://srp.stanford.edu/> as the protocol, specifically SRP6a but with a
SHA256 since I couldn't get a MGF1 to work in javascript. Probably change that
later.

<http://srp.stanford.edu/download.html> as the actual implementation. Yes, I'm
using that C library.

<http://crypto.stanford.edu/sjcl/> for the javascript crypto, also written by
the same people doing SRP.

And you can read the javascript files on the site to see what it's doing.

So, it's based on entirely standards based (even has an RFC) open source
protocols and uses implementations from the actual authors of said protocols.

The closed source part is just my lua Tir stuff and whatever else I make.

~~~
bobds
I've collected a few links related to JS cryptography, might be useful:
<http://disattention.com/13/javascript-cryptography/>

There is another SRP implementation in JS+PHP:
[http://www.denksoft.com/wordpress/web-development/secure-
aja...](http://www.denksoft.com/wordpress/web-development/secure-ajax-channel-
srp-hermetic/)

We definitely need more SRP implementations, glad to see more people working
on it.

~~~
tptacek
Clipperz also has a PHP SRP implementation, but it accepts any _A_ = 0 mod _N_
and thus allows people to log in without knowing their passwords, which is a
nice feature but maybe not what you want in a secure auth scheme.

------
qjz
I created an account for a user with a common name. Obviously, such names will
be used up quickly. If a user wants multiple accounts, it would be nice to
support realms, so the user portion of the name can be reused. But when I
tried "user@example.com" I got an error: _Only letters and numbers in your
login._ Any chance of supporting "@" & "." so I can have easy-to-remember
logins for different sites/purposes?

~~~
zedshaw
Sure. I'm thinking it'd probably be up to the site using the service what
their login policy is.

------
miGlanz
Hi Zed, I had this idea recently which might somehow be related to yours (or
complement it, to be more precise). I was thinking about making various
password managers (KeePassX, etc.) work better with web sites and about
storing your passwords on your mobile device and use this device to easily log
into services (for example when you're away from your PC). So the idea was
basically this:

\- show me a 2d barcode (QR-code, datamatrix, whatever) on your Sign-in page;

\- I scan this code with my mobile phone application (or simply use desktop
application that takes a screenshot);

\- this application (password manager) makes a request to your service and
authenticates me (using SRP);

\- your Sign-in page uses AJAX in the background to check if I'm already
authenticated;

\- if the auth process was finished - I'm redirected to login-only area of
your site;

So this 2d barcode would contain some kind of nonce that would uniquely
identify current Sign-in page (we obviously can't use cookies because we're
using different channels).

This whole idea could also make sign-up process much more simple (you could,
for example, encode password requirements for your site, and my password
manager would automatically generate the password according to these
requirements, and would sign me up and record credentials in itself).

Just an idea. I'm not sure if it's viable at all (there might be some hard-to-
overcome security issues), it would be nice if you let me know what you think
about it.

~~~
zedshaw
I'd have to look at it more, but I think doing the 2nd factor auth before a
simple password auth will have problems. What you really want is they login
like normal, but then they get a txt message or use an app on their phone to
do the 2nd factor.

2 factor auth though is very much possible with this, actually with any
service. I may try to hack that up as a demo this week. Maybe use twilio for
it and have it call you. Fun!

~~~
miGlanz
I wasn't thinking about second factory actually (unfortunately I can't easily
express my ideas in English, I haven't made it clear enough). The barcode
would make a first (and only) factor. Of course username/password would stay
there for backwards compatibility.

Once again, I'll try to express myself more clearly:

\- we show a username/password input boxes and 2d barcode (QR/datamatrix);

\- the user may simply enter his username/password and then everything works
your way;

\- he may also choose to use some kind of password manager that is compatible
with this protocol;

\- in this case we encode some data in the barcode (it could be some login
URL, e.g.
[https://example.com/srp/yourservice.com/?nonce=some_random_n...](https://example.com/srp/yourservice.com/?nonce=some_random_number_here));

\- this password manager scans the code and performs full SRP authentication
on the above URL; if it's successful we simply send some kind of notification
to your service - or you poll our service for the result;

\- we check the result on the actual login page as well (e.g. using AJAX): we
may simply poll some other URL, like:
[https://example.com/srp/yourservice.com/result/?nonce=the_sa...](https://example.com/srp/yourservice.com/result/?nonce=the_same_nonce_used_above)
(of cource results signing/etc. comes into play here);

\- if the result is OK we simply set session data in the cookie as usual and
from now on the user is authenticated;

This has additional advantage of the actual crypto going on in the password
manager and on the server. It also gives the possibility to perform the sign-
up process semi-automatically as well (think of password generation - the user
doesn't have to know it at all). And then think of public wifi or other
networks you don't trust: you may perform the auth via GSM using your mobile.
But the biggest improvement, in my opinion, is the usability aspect. You could
have your password manager lying in the background and when you are shown a
login page you could simply double-click an icon in your tray area and you are
immediately logged into the app. Or you could use password manager on your
mobile phone to take a shot with its camera.

I hope this time it's clearer.

~~~
zedshaw
Hmmm, yeah that's possible, but I'd have to actually implement it and then try
to hack it before I could give it any kind of blessing.

------
bstar77
Zed, you really should jslint your javascript code. Not trying to be overly
critical, but it's really a mess- not even sure where to begin- well, I would
start by not defining everything in the global namespace. Take a look at
"Javascript, the Good Parts" for info on javascript's quirks and best
practices or Pro Javascript Design Patterns.

On the more positive side, congrats on releasing yet another useful project.
This is definitely an interesting concept.

~~~
zedshaw
I'll do that, and have read that.

------
mooism2
I don't understand.

It's "single sign-on", but each individual website stores its own secrets,
there's no centralised website, when I want to change my password I have to
change it on each website.

OR

It's "single sign-on", but I have to enter my password directly into each
website I log in to, and trust that they process it in javascript instead of
surreptitiously logging it on their server.

~~~
zedshaw
I'm not sure yet since I haven't got the API designed, but I will aim for
autho.me to be a centralized web service that your clients and/or webservers
use to auth people. Most likely you wouldn't even know they're using it unless
they choose to tell you.

As for "surreptitiously logging your password", no matter what you do, they
can anyway. Just no way around it without handing all your users to some other
website, and even then clever UI evil can still trick most folks into giving
the password up.

Autho.me would be less about magically protecting you from some imaginary evil
site, and more about making it easy for sites who aren't evil to do the right
thing with their auth.

But, I still have to figure out how it will really work. This is just a test
to make sure the crypto works right.

~~~
mooism2
Ah, so it's not single sign-on really. It makes more sense now, thanks.

------
dangrossman
You can tell a website was designed on a Mac when its fonts are nearly
unreadable in Windows browsers other than Safari.

~~~
jaskerr
No need for the snark.

Zed used a cascade of Adobe Caslon, Hoefler, Georgia, Garamond and Times for
the body. Good fonts, all of them. Whose fault is it that all except Times
render poorly?*

"The crazy colors should tell you that this is only for the brave."

Maybe the same goes for the fonts.

* I checked Firefox, Chrome and IE on an XP3 system. With Chrome's Developer Tools, I removed fonts from the front of the cascade until the type looked "right", and arrived at Times. Bah.

~~~
dangrossman
Why is there no need for the snark? Do you think there is never a need for
snide remarks? _Choosing_ to use fonts that don't render well as your body
font deserves contempt! It is bad for the people reading the site, and it's
bad for the site owner.

It's neat and all that it's finally possible to use more fonts in webpages,
but this is one trend that should be avoided until someone (Microsoft or the
browser makers) figures out how to do the text rendering correctly.

------
blub
Nice choice of words. Web sites usually own your accounts, even if the
internet is open.

Magazines cater to advertisers by claiming to sell "eyeballs" and carefully
picked "readers", while acting all nice to their customers. I imagine websites
do the same when it comes to exiting, talking to advertisers, etc.

~~~
qjz
It's not just that. While there is much justified concern about user privacy
and security, it's easy to forget that the site also has assets to protect.
Giving up control to a third party is a very scary prospect for some
organizations.

------
krainboltgreene
Argh! Well, he managed to get something tangible out first, but I still think
I've got a shot with V13.

~~~
zedshaw
Haha, suck it! :-)

~~~
krainboltgreene
My design totally looks cooler though, my mom said so.

------
JonnieCache
Pink on yellow. Nice.

On an unrelated note, I'm off to satiate my sudden urge for Battenberg cake.

~~~
zedshaw
You like that? I was going for a "this shit is crazy" motif. Just to make sure
it's clear that it's new and not tested yet.

~~~
JonnieCache
No. It is horrific. You have done your job.

Maybe chuck in a few blink tags.

------
Ixiaus
This has existed for some time already - FOAF+SSL. It uses X509 certificates
and user owned FOAF files that can be provided by themselves or served from
another resource. What's even more cool, is, the user doesn't need to "log in"
nor create a "profile" since the cert authenticates the user against their
FOAF file and the FOAF file provides their profile and friend connections.

------
viraptor
Maybe I'm missing some information, but if there was a library for plugging in
SRP easily, why would a page want/need to use autho.me to do this? Why not
just use the same mechanism locally? (apart from the ability to change the
password for multiple services in one place, I'm not sure if that's a great
feature really...)

~~~
zedshaw
It took me a week+ to get this far with it, and it's still not totally right.
It is definitely not "easy" to do.

But, I'm thinking the main reason someone would do this is if they wanted to
not be responsible if there was a break-in, and to trust a 3rd party who
specializes in it.

------
JoachimSchipper
Nice to see someone actually using SRP. And understanding what's actually
possible in Javascript (note that Zed very carefully doesn't say that this is
"host-proof" or something along those lines.)

~~~
tptacek
Help me out here, Joachim, because you know where I'm coming from: what's the
setting in which this Javascript SRP implementation could improve things over
stock-standard HTTPS login?

~~~
zedshaw
You'd use both HTTPS and this, as I mentioned before. This just means that a
site using the service, if they use it right (big if), doesn't have to worry
about password storage or securing them and leaves it to autho.me. Otherwise,
everything else is pretty much the same as what you got on existing websites.

~~~
tptacek
You read my whole comment. You know you can't just use HTTPS for _your_ part
of it; that you have to have clean-room purity for every piece of content that
builds any page that ever deals with any of the mechanics of this code.

Everybody who ever thought "oh, I'll just AES encrypt passwords in Javascript
instead of using HTTPS" later came up with "oh, then I'll serve just the JS
for this crypto off some HTTPS site somewhere" when someone pointed out how
crazy that was. It is nowhere near that easy.

~~~
zedshaw
Like I keep telling you, this isn't any more or less secure than any existing
solution because the browser is not secure in the face of an attack. Even with
HTTPS if I can inject some javscript then it's a one-liner to get your
password.

So no, even with HTTPS and your proposed solution you'd still be screwed.

