nanog mailing list archives
Re: LinkedIn password database compromised
From: Leo Bicknell <bicknell () ufp org>
Date: Wed, 20 Jun 2012 15:28:02 -0700
In a message written on Wed, Jun 20, 2012 at 03:05:17PM -0700, Aaron C. de Bruyn wrote:
You're right. Multiple accounts is unpossible in every way except prompting for usernames and passwords in the way we do it now. The whole ssh-having-multiple-identities thing is a concept that could never be applied in the browser in any sort of user-friendly way. </sarcasm>
Aw come on guys, that's really not hard, and code is already in the browsers to do it. If you have SSL client certs and go to a web site which accepts multiple domains you get a prompt, "Would you like to use identity A or identity B." Power users could create more than one identity (just like more than one SSH key). Browsers could even generate them behind the scenes for the user "create new account at foo.com" tells the browser to generate "bicknell () foo com" and submit it. If I want another a quick trip to the menu creates "superman () foo com" and saves it. When I go to log back in the web site would say "send me your @foo.com" signed info. Seriously, not that hard to do and make seemless for the user; it's all UI work, and a very small amount of protocol (HTTP header probably) update. In a message written on Wed, Jun 20, 2012 at 02:54:10PM -0700, Matthew Kaufman wrote:
Yes. Those users who have a single computer with a single browser. For anyone with a computer *and* a smartphone, however, there's a huge missing piece. And it gets exponentially worse as the number of devices multiplies.
Yeah, and no one has that problem with a password. Ok, that was overly snarky. However people have the same issue with passwords today. iCloud to sync them. Dropbox and 1Password. GoodNet. Syncing certs is no worse than syncing passwords. None of you have hit on the actual down side. You can't (easily) log in from your friends computer, or a computer at the library due to lack of key material. I can think of at least four or five solutions, but that's the only "hard" problem here. This has always failed in the past because SSL certs have been tied to _Identity_ (show me your drivers license to get one). SSH keys are NOT, you create them at will, which is why they work. You could basically coopt SSL client certs to do this with nearly zero code provided people were willing to give up on the identity part of X.509, which is basically worthless anyway. -- Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Attachment:
_bin
Description:
Current thread:
- Re: LinkedIn password database compromised, (continued)
- Re: LinkedIn password database compromised Luke S. Crawford (Jun 08)
- Re: LinkedIn password database compromised Phil Pishioneri (Jun 13)
- Re: LinkedIn password database compromised Grant Ridder (Jun 13)
- Re: LinkedIn password database compromised AP NANOG (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- RE: LinkedIn password database compromised Leo Vegoda (Jun 20)
- Re: LinkedIn password database compromised Pedro (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Elmar K. Bins (Jun 20)
- Re: LinkedIn password database compromised Aaron C. de Bruyn (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised AP NANOG (Jun 21)
- Re: LinkedIn password database compromised Tei (Jun 21)
- Re: LinkedIn password database compromised Jay Ashworth (Jun 21)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 21)
- Re: LinkedIn password database compromised AP NANOG (Jun 21)
- Re: LinkedIn password database compromised Matthew Kaufman (Jun 20)
- Re: LinkedIn password database compromised Jared Mauch (Jun 20)
- Re: LinkedIn password database compromised valdis . kletnieks (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Randy Bush (Jun 20)