Last update on .

Just as I was checking out the <a href="http://www.fsdaily.com/">FSDaily</a> feeds for the past two days, I've ran into disturbing news about <a href="https://savannah.gnu.org/">Savannah</a> project being <a href="http://www.fsdaily.com/Community/Savannah_and_www_gnu_org_downtime">compromised</a>. For matters to be worse, what got compromised was the entire user credentials database, which means that whoever had managed to get a hold of it could have caused some serious damage to the repositories hosted there. Luckily enough, the attack was discovered, although not as quickly as one might hope.

Luckily, I'm paranoid enough to have different passwords on almost every service, so the compromise didn't affect me much. I've reset the password used for Savannah, including some of the other services which shared the same password, this time setting aside a completely separate password for it (it's not like I use Savannah on a daily routine anyway).

But, unfortunately, many people do not use a separate set of passwords on every single web service out there. While the Free Software hackers usually at least try to have a multitude of different passwords at their disposal, sometimes it's just too cumbersome to have different password for each website. Sometimes people tend to group password usage based on site's trustworthiness in order to reduce the amount of different passwords they need to remember. While this method tends to work ok, it can also cause lots of inconveniences when such trusted sites get compromised.

This got me thinking on how the entire authentication process could be improved, and it became very quickly quite clear to me that probably the most secure method would be the use of good ol' PKI, in combination with X.509 certificates. While this might not solve all of the security issues out there (like SQL injections against some other data), it'd certainly improve the authentication security by several levels. PKI-based authentication is very hard to crack, and potential compromise of a web service would not render the private key associated with the public key unusable. The worst thing that could happen, as always, would be free access to the information protected by the authentication mechanism itself (which probably isn't going to go away anytime soon). Of course, deploying encryption through the use of the very same mechanism would solve that problem as well, but in some cases the systems would be either too cumbersome to maintain, or virtually useless (the cost of balance between usability and security, unfortunately).

It still remains to be seen if people deploying web services will start trying to educate their users and deploying secure mechanisms based around the PKI in the future. Unfortunately, as it is right now, the pace is rather slow.

Pingbacks

Pingbacks are closed.

Comments

  1. on #

    Fully agree, passwords should be definitely be replaced wherever possible with client certificates (based onto x.509 standard) as stand-alone solution or combined with a SSO (Single sign-on) solution, as e.g. OpenID (e.g. http://www.certifi.ca).

    Reansons or benefits are two folded: technical security and user comfort. A friend of us hold in 2009 a presentation about that. "Not another damn password! It's the 21st Century after all", see http://2009.osdc.com.au/daniel-black ("Full paper" is .doc format :-( )

    Client certificates will be more and more important for sys admins and users (Web surfers). For sys admins, because server certs will be used for https (more or less secure transmission) only. For identification only of average Web sites, DNSSEC will replace a large part. Thus, user identification by his/her personal certificate will come more into focus.

    Said that, real free WoT Community PKI is needed, as not everybody has the money to pay for a certificate, but would be willing to learn about and to use it. Some toughts in this direction are under way.

Comments are closed.