Node.js. OpenPGP.js. BeamAuth: Two-Factor Web Authentication with a Bookmark. (There’s always a dilemma between “publishing soon” and “polishing for peer review.”
This is my first attempt at blog-based collaborative peer-review. Let’s see how it goes!) The Problem Phishing is a serious issue, and it’s only getting worse. Through various means, Alice ends up at a spoofed web site she thinks she recognizes (usually her bank). Various anti-phishing solutions in the past help to some degree, though they all tend to have one annoying property: if the user is really not paying attention, if the anti-phishing solution errors out, the user gets phished.
That’s not okay. OpenID and CardSpace The OpenID project is a distributed, web-based single sign-on system that requires no changes to the user’s browser. Meanwhile, Microsoft is about to deploy CardSpace, a radically new way to authenticate to web sites, with a significantly revamped client-side experience. So the question is: can we find a middle ground?
Related Work A Proposal: BeamAuth How does this prevent phishing? Demo! Hottest 'challenge-response' Answers. Jquery - jCryption + CRAM are a good alternative to SSL. How to encrypt user passwords. By Daniel Fernandez <dfernandez AT users.sourceforge.net> 1. Overview Almost all modern web applications need, in one way or another, to encrypt their users' passwords. We could say that, from the moment that an application has users, and users sign in using a password, these passwords have to be stored in an encrypted way. There are some intuitive reasons for this: our data stores can be compromised, and so can our communications. 2. So, we have to encrypt passwords, but... how? I. This is because, except for some specific scenarios (mainly regarding legacy integration), there is absolutely no reason for a password being decrypted. 'But what if one of my users loses his/her password?
The answer is a loud and clear NO. Now that it is clear that password digesting is a must, which digest algorithm should we use? MD5 algorithm SHA family: SHA-1 algorithm and SHA-2 variants (SHA-224, SHA-256, SHA-384 and SHA-512) II. 3. Well, the answer is... we cannot. Security - Matasano Web Security Assessments for Enterprises. What do you mean, "Javascript cryptography"?
We mean attempts to implement security features in browsers using cryptographic algoritms implemented in whole or in part in Javascript. You may now be asking yourself, "What about Node.js? What about non-browser Javascript? ". Non-browser Javascript cryptography is perilous, but not doomed. For the rest of this document, we're referring to browser Javascript when we discuss Javascript cryptography. Why does browser cryptography matter? The web hosts most of the world's new crypto functionality. What are some examples of "doomed" browser cryptography? You have a web application. Or, you have a different application, where users edit private notes stored on a server.
What's wrong with these examples? They will both fail to secure users. Really? For several reasons, including the following: What's the "chicken-egg problem" with delivering Javascript cryptography? That attack sounds complicated! Second, the difficulty of an attack is irrelevant. Yes.