home.social
Sign in Create account

#secureauthentication — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #secureauthentication, aggregated by home.social.

  1. Erik van Straten @[email protected] ·

    @pake_preacher : I forgot the details of PAKE and SRP, but in the end the most secure client authentication requires:

    1️⃣ Strong, long term, human comprehensible, *serving endpoint* authentication;
    *AND*
    2️⃣ TLS channel binding (enforcing known endpoints).

    (Apart from those, both serving endpoint AND client MUST be trustworthy).

    🚨 The -corrupt- CA/B forum breaks 1️⃣ by:
    a) Advocating anonymous Domain Validated certificates, which render secure account creation IMPOSSIBLE;
    b) Continuously decreasing certificate lifetime.

    🚨 Furthermore, "legitimate" MitM's * break 2️⃣.

    * Man in the Middle, like on-device virusscanners and firewalls that "open" TLS tunnels (both requiring installation of a dedicated root certificate) and proxies such as (definitely not limited to) Cloudflare and Fastly.

    😱 Passkeys enforce NEITHER 1️⃣ NOR 2️⃣.

    😱😱 Worse, because passkeys (or FIDO2 hardware keys) can be easily irretrievably "lost", servers typically provide WAY EASIER phishable authentication methods (such as "rescue codes").

    @cendyne @soatok @chazh

    #AitM #MitM #SecureOnlineAuthIsHARD #SecureAuthentication #OnlineAuthentication #Authentication #Impersonation #ChannelBinding #TLSchannelBinding #UTM #TLS #TLSinterception #TLSscanning #Proxy #Proxies #GoogleIsEvil #CloudflareIsEvil

    #aitm #mitm #secureonlineauthishard #secureauthentication #onlineauthentication #authentication
  2. Erik van Straten @[email protected] ·

    @pake_preacher : I forgot the details of PAKE and SRP, but in the end the most secure client authentication requires:

    1️⃣ Strong, long term, human comprehensible, *serving endpoint* authentication;
    *AND*
    2️⃣ TLS channel binding (enforcing known endpoints).

    (Apart from those, both serving endpoint AND client MUST be trustworthy).

    🚨 The -corrupt- CA/B forum breaks 1️⃣ by:
    a) Advocating anonymous Domain Validated certificates, which render secure account creation IMPOSSIBLE;
    b) Continuously decreasing certificate lifetime.

    🚨 Furthermore, "legitimate" MitM's * break 2️⃣.

    * Man in the Middle, like on-device virusscanners and firewalls that "open" TLS tunnels (both requiring installation of a dedicated root certificate) and proxies such as (definitely not limited to) Cloudflare and Fastly.

    😱 Passkeys enforce NEITHER 1️⃣ NOR 2️⃣.

    😱😱 Worse, because passkeys (or FIDO2 hardware keys) can be easily irretrievably "lost", servers typically provide WAY EASIER phishable authentication methods (such as "rescue codes").

    @cendyne @soatok @chazh

    #AitM #MitM #SecureOnlineAuthIsHARD #SecureAuthentication #OnlineAuthentication #Authentication #Impersonation #ChannelBinding #TLSchannelBinding #UTM #TLS #TLSinterception #TLSscanning #Proxy #Proxies #GoogleIsEvil #CloudflareIsEvil

    #aitm #mitm #secureonlineauthishard #secureauthentication #onlineauthentication #authentication