Client-side SSL


  • Vivaldi Translator

    [center][size=4][b][u]Are we getting the most from SSL ?[/u][/b][/size][/center] I was thinking about the use of certificates for authentication in reverse. It occurs to me that the SQRL system being developed by Steve Gibson reverses the traditional logon by getting the user to have their own unique personal token. In essence this is what SSL does, so I thought "Why is it only used the way it is?" eg. used to make sure the site you are using is safe, or to send authenticated or encrypted email. I thought; "Why can't I alternatively use the Commodo SSL certificate I now own for my Vivaldi mail, to log into Vivaldi ?" So I went and had a look, and it seems I am not alone in thinking this. Christian Weiske has created a guide to using client-side certificates in PHP http://cweiske.de/tagebuch/ssl-client-certificates.htm I see this as an alternative login like SQRL, that some users may prefer. All the client needs to do is send a signed email to register that certificate to the account. They could then maybe choose to rely on completely automatic login, or enable 2-phase login with a simple 4 digit PIN. The registered password on the site can then be treated as backup, and be a secure long random alpha-numeric password. It would simplify users experience, but I have to ask "would it make life hell for the Vivaldi devs ?" Most importantly "Do any users want something like this?" SSL certificates are available for free, so cost is no issue. OK. Want to know the truth ? :whistle: I'm getting annoyed at the fact Vivaldi does not remember me. Must be the cookie-monster in my PC :lol:



  • "SSL certificates are available for free"

    That's news to me. For limited time trial use, as Commodo's (90 days).
    I do not think it feasible to have have to go and renew your cert very 90 days (If the CA will allow that. They are in Bussiness to make money after all.)


  • Vivaldi Translator

    SSL certificates for email are free for personal use.
    The 90 day trial must be for business or site certificates.
    http://www.comodo.com/home/email-security/free-email-certificate.php
    They are also available from StartSSL if you want another option.
    http://www.startssl.com/?app=1



  • Thanx for updating me on this topic. I will indeed be looking further into this.
    I can only remember back to the late 90s when I attempted to get my company to incorporate digital signatures in important electronic documents in our document management system. The higher-ups were not impressed with the costs involved, regardless of the protection it could give the verify the document's signature.


  • Vivaldi Translator

    Unfortunately the free certificates have not been crusaded enough by those that have found them.

    I did some tests with some of the bods in the SGC news groups, so we know that Linux and Mac users also have no problems installing them.

    A note for people that have never used certificates
    The important thing to remember when requesting a certificate, is that the request is tied to the browser that you used.
    eg. You cannot order it from work, then collect it at home.
    Once you have actually installed it, it is installed the OS so you can export it for use elsewhere.

    Well Greybeard, have you checked it out yet ?
    It would be good to comment on how easy you find the process, so other users may feel they can also easily secure their emails.

    I was hoping for a bit of banter on the original topic, as I feel this fits with Jon's secure outlook for the Vivaldi community.
    So please, anyone with any ideas on the feasibility of something like this, feel free to share.



  • @Dr Flay, not as yet. It is on my list of items to look into.

    Lots of melt here in past few days, some wiring and plumbing to fix as well as having three computers lined for rebuilds. Trying to fit time for personal interests…



  • Norwegian authorities are now warning against what could be the biggest security disaster in internet history.
    Advise: Change all your passwords - at a once.
    There has been established a website - Heartbleed.com - with comprehensive information about Heart Bleed hole, how it affects and how both private and professional can protect themselves.



  • @leirom:

    Norwegian authorities are now warning against what could be the biggest security disaster in internet history.
    Advise: Change all your passwords - at a once.
    There has been established a website - Heartbleed.com - with comprehensive information about Heart Bleed hole, how it affects and how both private and professional can protect themselves.

    I think this is somewhat over blown. At most you need to change passwords on sites that contain your personal data. Such as your bank.
    If I had passwords from a whole lot of accounts, I wouldn't be me I would break in to. If you have nothing, no one wants it.
    Or as Bobby McGee said " Freedom's just another name for nothing left to lose."



  • @booBot:

    Should we expect an update for Opera v12 regarding the HeartBleed OpenSSL issue?

    Opera 12 doesn't support SSL heartbeat and is not affected.



  • Oh, there will be an update for the O)pera 12 updater because there is a theoretical chance that that can be abused…

    see:
    http://blogs.opera.com/security/2014/04/heartbleed-heartaches/



  • @QuHno:

    Oh, there will be an update for the O)pera 12 updater because there is a theoretical chance that that can be abused…

    see:
    http://blogs.opera.com/security/2014/04/heartbleed-heartaches/

    Thanks for the link QuHno



  • A new, non-profit CA has recently been announced by EFF.
    The CA, Let’s Encrypt, is a combined effort between the EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan and is scheduled to be operational by mid 2015. The project is aimed at reducing or eliminating "the complexity, bureaucracy, and cost of the certificates that HTTPS require".

    Not sure as of now whether or not the CA will offer client side SSL.

    For those with an interest, there is a developer preview:

    https://github.com/letsencrypt/lets-encrypt-preview

    and a video: https://www.youtube.com/watch?v=Gas_sSB-5SU

    The original EFF article can be read here:

    https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web



  • Re: Client-side SSL

    What about technology that creates PGP on SERVER on SESSION START,
    Then on CLIENTS connect, it creates PGP in client, and they communicate with each other using RSA?
    JavaScript and PHP allows this. You can use plain HTTP then, and it can work on hosting, that makes you pay for SSL and it's secure.



  • @quang-luan Your approach is similar to what OTP encryption does.



  • @gwen-dragon And I can set up algorythm independent of service provider. So I can encrypt really well on $3 hosting. But is it necessary? If somebody could take use of it, I could write it down.

    Service Specification could handle that kind of communication too.

    And on server, it's just DB stored keys on cheap hostings.



  • @quang-luan But i do not know a implementation like this on webservers.
    OTP and OpenPGP encryption for messages is more used on chat messengers like Pidgin.



  • @gwen-dragon webchat ;) i.e. temporary encrypted chatrooms for people that need save talks, that even being point to point, are encrypted.



  • @quang-luan Yes, but i guess that it is not a low-level webserver protocol but a web app implementation. if i am wrong please tell me what RFC standard that is.
    I am only a dumb webdev and programmer and :older_woman: :eyeglasses: , not a young webchat user ;)



  • I'm not doing RFC even if I implement it.

    Last time I went around RFC, somebody understood SVG instead of BOX MODEL, even thou I was stating it was BOX MODEL. And I don't want my name on it even thou. Money would be useful, but...

    It's simple, on server you first send CLIENT and your SERVER PUBLIC KEY to USER. Then USER's CLIENT generate USER's PUBLIC KEY and send it, already encrypted by server public key to SERVER.

    I don't see where it can get's broken if PRIVATE KEYS are secured. I really don't think standardly or normalized, I don't know how RFCs are written and where are they submited, when I tried to submit RFC further I've got was their workgroups github, when It was misunderstood a little bit.

    Browser can encrypt/decrypt in JavaScript, you can also use Browser JavaScript Service Runner for that, so you have one keypair for one ORIGIN.

    For RSA there is a library for encryption.

    In PHP on Server Side you can use middleware to encrypt this way, but you need to:
    respond on encrypted request by encrypted information
    respond on unencrypted request by sending encryption client

    You can also just use OB_Start, and Flush it to encrypter... And if requests post data is encrypted and valid, send it back, if not send error,

    Full URL is always going to be visible, so you can set up encrypted channel on "$algorythm".crypt.domain.net and set route data in encrypted post request with client.

    Problem could be ajax request, you need to encrypt every ajax request, if you are using any kind of Wrapper for ajax, i.e. jquerry, you can modify wrapper, to encrypt/decrypt ajax as it flows, if you are using vanillas, and you don't have ajax wrapper written, you need to manually change every ajax request.

    Is this explained enought?


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.