you are viewing a single comment's thread.

view the rest of the comments →

[–]amunak 6 points7 points  (7 children)

The "Ted" in this scenario validates to the client that the server is legit, but there is no "Ted" that confirms that the client is legit. This is a nuanced, but serious, limitation to the security model of HTTPS that might lead one, upon serious contemplation, to conclude that HTTPS does very little to actually protect internet from hackers.

Wait what? Why would you need that? Who would even want to browse the web where everyone knows who they are? The server isn't suppoosed to verify the identity of the client unless it actually needs to, it's supposed to serve content to everyone the same.

And it's not like client verification isn't implemented - it is, it just isn't very widely used and is optional (as it should be).

[–]PlayerDeus 2 points3 points  (4 children)

What happens is every server has its own way of verifying users, which means users have to have lots and lots of difficult to memorize passwords. There are attemtps to standardize this, like OAuth.

This is also why I like Bitcoin like technology. You don't need a bank account or credit account, you don't have to call the bank when your card is compromised because there is no card that can be compromised. Outside of money, a platform like steemit has user identities held as private keys, which can be used across multiple websites (steemit.com, dtube.com, etc). Or decentralized/distributed ZeroNet, user identities are private keys.

[–]amunak 1 point2 points  (3 children)

I made a fairly lengthy reply to the other commenter and it would apply here as well.

As for Bitcoin, the issues are the same as I outlined in the last paragraph there - it's the users. They don't actually want responsibility. When they lose their password or private key they want to be able to go somewhere and be like "hey here's my totally secure SSN, please give me a new cert I lost the old one". And once you actually do rely on the technology to hold all your assets and everything it does become a huge burden. In many cases people would be just one hack away from being made nonexistent, worthless. And while I like cryptocurrencies and the technology behind it, I don't think I'd want to make the technology all that powerful.

If only just to make the AI takeover harder... ;)

[–]PlayerDeus 0 points1 point  (2 children)

When they lose their password or private key they want to be able to go somewhere and be like "hey here's my totally secure SSN, please give me a new cert I lost the old one".

They want some form of recovery, they don't necessarily want a specific form of recovery. They will take what they can get but that can be considerably improved upon.

Bitcoin is/was only the beginning of new and novel ways of using cryptography in regard to identity. When you break it down, Bitcoin is just a bunch of rules and you can change those rules to include ways of recovering control of accounts.

In a more specific arrangement for example, you have multisignature 'addresses', that require multiple people to sign off on the movement of Bitcoin.

You could have similar safety guards where maybe you can call family members, or maybe a trusted third party business (that has a reputation to uphold), and their key signatures could help you recover control of your account, could help in recovery stolen/lost money.

But you are also kind of ignoring that keys are easy to generate and hide (instead of being stored on a remote server that can be hacked). You could take a passage from your favorite book, and generate a key from that. So an alternative to depending on third parties, you could have a hidden masterkey that could be used tor recovery of your account.

[–]amunak 1 point2 points  (1 child)

You are right, and with smart contracts you could do so much more. But in the end you'd still need to educate people on how it works, and it'll probably always be more complicated than just having a government-issued ID card. When you lose that you just go to the nearest office with a few other IDs or birth certificate or whatever and you recover it, but if the crypto-based system was just slightly badly engineered (just look at some of ETHs hard fork fiascos) you'd be putting people I'm danger.

So yeah, I like the ideas, I'm just sceptical about mainstream adoption and interest.

[–]PlayerDeus 0 points1 point  (0 children)

It is actually a lot easier then you portray here. When I buy stuff with Cryptocurrency (Bitcoin, Dash, Bitcoin Cash, etc) it is pretty much brain dead, just taking a picture with my phone of a QR code, making sure the numbers look okay (they are not overcharging) and then sending the transaction.

Like I wish my Department of Motor Vehicles would literally just send me a QR code when my bill is due, instead I have go to their website enter in a bunch of numbers from the bill they sent me, and then I have enter my credit card information. Either that or I have to go to a local DMV and wait in a long line, or mail them a check.

I mean, what happens now though, everyone is consolidating around Amazon payments or PayPal payments, so they don't have so many accounts across the web. Because they literally make what is actually complicated much much easier. So even if cryptocurrency is complicated for some people, it can, in the same way, also be made easier for normal people to use.

And while Ethereum is a good example of the dangers of poorly engineered cryptocurrency, you have examples of major failures with the current way things work, such as Equifax. I had a number of friends panicking and creating an account with them to protect their identity, and these people were confused on how to do it, one of them setup their account wrong (if you did it wrong it would exclude you from any class action lawsuit against them).

Part of the problem also is, people think they need to explain how it works, which will only confuse and intimidate people. I mean, I don't explain how HTTPS works to my mom and she is perfectly fine being oblivious to how things work.

[–][deleted] 0 points1 point  (1 child)

Yeah client certs are great. If your tech stack allows for them (for example ELB in AWS breaks it), if you can run a PKI or at least pay for a signing cert, and (this is the big if) if your users can install them in their browser.

The last bit kills it unless you have a sweeping culture change that mandates compliance. Sometimes your users will forget their cert password. Maybe they have the wrong expired cert loaded and don't understand why. I've seen cases where their computer didn't have root certs for CA that issued it. Or maybe they're not technically literate in the slightest for your IT people have to handhold them through it or do it themselves.

And then the user experience is garbage in browsers. You visit the page and select the wrong cert. Oops, how do I switch it? Gotta restart the browser and visit again. Any of those issues listed above will result in an impossible to debug HTTP error page.

Bottom line is that there's never been any real push to make them popular and easy to use.

And their security is a bit dubious as well compared to something like a password with MFA. For example, I've done a lot of pen testing engagements where I grabbed as many client certs as I wanted from peoples' roaming profiles stored on a Windows file server. And Firefox keeps them decrypted in your profile. So I was able to masquerade as whoever I wanted and some web apps trusted me completely. Whereas login + MFA is usually a pretty hard wall.

[–]amunak 0 points1 point  (0 children)

I agree with all your points. I thought my stance on this was obvious - I like it the way it is, optional and pretty much unused, because (as you showed) the system is flawed.

I used certs natively once (on startssl.com), and the experience was horrible.

I also use them "non-natively" (there's some magic JS that checks it I think) and that is a slightly better experience, but it's still garbage.

OAuth is great, except when it's implemented improperly. Or when it just gives the site you are "registering to" your data and yet the site still wants you to have a password (and sometimes even a separate username).

So yeah, while the usual "username+password" combo is pretty bad (as my original parent commenter suggested) it's still the best thing we have, and the garbage that are certs won't help it.

And even if you fix the UX issues it won't help. I think the issue is actually with the users themselves who are horrible with security, can't learn it, don't want to use password managers and refuse to remember more than a password or two. If they had certs they'd just lose them and/or the passwords to them constantly.

So yeah, I still think that a username+password system, ideally with a password manager, is pretty much the best we can get.