Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
AusCERT 2013 Talk
8 views
Skip to first unread message
Francois Marier
May 24, 2013, 8:44:40 AM5/24/13
to
Today I presented [1] Persona to a crowd of about 150 security
professionals at AusCERT [2] in Australia. To my surprise, an article
[3] was published in the Australian CSO magazine, less than 2 hours
afterwards!
My talk was scheduled right after a TLS presentation in which the
speaker ended by saying that one of the unsolved problems of TLS on the
Web is the way we handle passwords. I had a good chat with that speaker
after my own presentation and it turns out that he's working on an
SRP-like system for negotiating a shared session key without sending
one's password in clear text. Something that could be interesting to
look at in the context of PICL.
# Seamless logins
Prior to my presentation, at the opening reception, I was talking to
someone who suggested the idea of seamless logins on an opt-in basis.
His idea was that if you do something (e.g. "Remember me" checkbox or
something along those lines), then Persona could remember that you want
to always be logged into that site. Next site you visit that URL while
logged into Persona, the onlogin callback would automatically fire.
In other words, the user still has to consent (the first time) but then
he/she gets auto-login with that site.
# Behavioral analysis
The other thing that this person suggested was the use of behavioral
analysis tools (similar to what banks and credit cards use to detect
fraud) in the fallback IdP.
We could potentially use this to adjust the number of factors required
for logging in, once we have 2-factor support of course.
# Questions from the audience
- How do you handle websites for which users don't want to give their
email address?
- What happens when a user wants to change an email address?
- Does the certificate given by your email provider expire?
- How does the system move private keys around a user's multiple devices?
- Doesn't the verifier get a log of all websites users log into?
Francois
[1] slides and audio recording at
https://www.slideshare.net/fmarier/auscert2013-persona
[2] http://conference.auscert.org.au/conf2013/ (around 1000 attendees)
[3]
http://www.cso.com.au/article/462796/auscert_2013_kill_password_says_mozilla/
professionals at AusCERT [2] in Australia. To my surprise, an article
[3] was published in the Australian CSO magazine, less than 2 hours
afterwards!
My talk was scheduled right after a TLS presentation in which the
speaker ended by saying that one of the unsolved problems of TLS on the
Web is the way we handle passwords. I had a good chat with that speaker
after my own presentation and it turns out that he's working on an
SRP-like system for negotiating a shared session key without sending
one's password in clear text. Something that could be interesting to
look at in the context of PICL.
# Seamless logins
Prior to my presentation, at the opening reception, I was talking to
someone who suggested the idea of seamless logins on an opt-in basis.
His idea was that if you do something (e.g. "Remember me" checkbox or
something along those lines), then Persona could remember that you want
to always be logged into that site. Next site you visit that URL while
logged into Persona, the onlogin callback would automatically fire.
In other words, the user still has to consent (the first time) but then
he/she gets auto-login with that site.
# Behavioral analysis
The other thing that this person suggested was the use of behavioral
analysis tools (similar to what banks and credit cards use to detect
fraud) in the fallback IdP.
We could potentially use this to adjust the number of factors required
for logging in, once we have 2-factor support of course.
# Questions from the audience
- How do you handle websites for which users don't want to give their
email address?
- What happens when a user wants to change an email address?
- Does the certificate given by your email provider expire?
- How does the system move private keys around a user's multiple devices?
- Doesn't the verifier get a log of all websites users log into?
Francois
[1] slides and audio recording at
https://www.slideshare.net/fmarier/auscert2013-persona
[2] http://conference.auscert.org.au/conf2013/ (around 1000 attendees)
[3]
http://www.cso.com.au/article/462796/auscert_2013_kill_password_says_mozilla/
0 new messages