[Discuss] eliminating passwords

[Edward Ned Harvey (blu)]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Kent Borg
> 
> On 07/28/2013 11:49 PM, Tom Metro wrote:
> > Elsewhere today there was a thread mentioning StarSSL. They take an
> > interesting approach to site security. They don't use passwords. As part
> > of the process of getting your SSL certificate, they generate a
> > client-side SSL certificate that you install in your browser.
> 
> Now I have to trust that my browser will keep that file securely. Steal
> that file and you are in.  It doesn't solve the problem, but shifts it
> to a little used feature browser that is likely little audited for
> security and might be full of holes.

"have to" is being stated too strongly.  

The process I follow is like this:  Generate and install the user cert with the browser.  Immediately export to a file and remove from browser.  Install into the OS (by double clicking the file) and un-check the "private key exportable" checkbox.

Now, whenever any app wants to use that cert, it must request permission from the OS, which prompts me to allow/disallow.  So it can't happen without my knowledge and consent.  Meanwhile, I'm able to authenticate to the website and everything is smooth and seamless.

PS.  I also challenge the assumption that the browser developers rarely audit their cert and identity management code.  The folks working for firefox and chrome are not completely brain dead.