YouPorn • up to 1 million email addresses and passwords posted online ‣ LinkedIn • 6.5 million passwords ‣ eHarmony • 1.5 million passwords ‣ Last.fm • 2.5 million passwords Tuesday, June 19, 12
Easier to remember • If one site is compromised, all are compromised ‣ Many sites constrain passwords • Low limits on length (My bank’s limit is 8 chars) • Disallowing special characters Tuesday, June 19, 12
of ‣ OAuth uses session keys instead of a username and password • Must still use username and password to login to Facebook, Twitter, or Google Tuesday, June 19, 12
must still trust Facebook ‣ Most OAuth providers lists websites you have authenticated • An attacker can use this to gain access to those sites ‣ Compromised Facebook account means all of those sites are compromised Tuesday, June 19, 12
• Users are getting accustomed to redirection ‣ Easier for attackers to steal credentials ‣ Redirect user to faceb00k.com • Can have a valid SSL certificate • Only subtle differences to real page Tuesday, June 19, 12
with Twitter the site is given your Twitter username ‣ Other sites will be get your Twitter username ‣ Your username can be used to identify you ‣ An attacker can assume the person on site 1 is also using site 2 • This lets them track you between websites Tuesday, June 19, 12
an email address ‣ It requires that you trust a third-party to vouch for you • Basically saying, “Yes, this person owns that email” ‣ Like OAuth with Twitter, the email address uniquely identifies you Tuesday, June 19, 12
elegantly using public key cryptography ‣ With TrustAuth, two keys are created: • Private Key - similar to a password, must be secret • Public Key - can be shared with anyone ‣ These two keys are mathematically linked Tuesday, June 19, 12
website that supports TrustAuth • The browser plugin provides the site with your public key when you register ‣ Login to an existing account • The plugin will also automatically provide your public key to the website Tuesday, June 19, 12
send your browser a special value with the login form ‣ The browser plugin takes this value and signs it using your private key ‣ When you hit the login button, the signed data is sent to the server • After verification you are logged in Tuesday, June 19, 12
manage or remember passwords ‣ Never worry about how a website stores passwords because your secret key isn’t revealed ‣ Unlike OAuth or BrowserID, TrustAuth is TNO (trust no one) Tuesday, June 19, 12
• A stolen account on one website cannot compromise accounts on other websites. ‣ As a user, using TrustAuth is easy • Just install the add-on and start logging in! ‣ As a web developer, adding TrustAuth is easy • Install a plugin for your framework or use the library Tuesday, June 19, 12
romaimperator
kogamochiduki
kotatyamtema
taniigo
hollycummins
riseshia
curekoshimizu
sobolevn
rockname
bicstone
kaorumuta
syumai
katayamatg
kneath
mclloyd
stephaniewalter
andyhume
gr2m
tammyeverts
chriscoyier
lara
thekraken
kevinliebholz
jnunemaker
michaelherold
