Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] eliminating passwords



> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Kent Borg
> 
> On 07/28/2013 11:49 PM, Tom Metro wrote:
> > Elsewhere today there was a thread mentioning StarSSL. They take an
> > interesting approach to site security. They don't use passwords. As part
> > of the process of getting your SSL certificate, they generate a
> > client-side SSL certificate that you install in your browser.
> 
> Now I have to trust that my browser will keep that file securely. Steal
> that file and you are in.  It doesn't solve the problem, but shifts it
> to a little used feature browser that is likely little audited for
> security and might be full of holes.

"have to" is being stated too strongly.  

The process I follow is like this:  Generate and install the user cert with the browser.  Immediately export to a file and remove from browser.  Install into the OS (by double clicking the file) and un-check the "private key exportable" checkbox.

Now, whenever any app wants to use that cert, it must request permission from the OS, which prompts me to allow/disallow.  So it can't happen without my knowledge and consent.  Meanwhile, I'm able to authenticate to the website and everything is smooth and seamless.

PS.  I also challenge the assumption that the browser developers rarely audit their cert and identity management code.  The folks working for firefox and chrome are not completely brain dead.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org