Hacker News new | ask | show | jobs
by josteink 1348 days ago
> I am talking about the artificial problem these walled gardens are creating by having every single domain getting its own randomly generated private key.

That’s part of the design though. That’s what completely eliminates the ability to do phishing-attacks.

If there were a common root to leak, that would just provide a new target for phishing attacks, and effectively risk reducing a persons entire online security down to 1 shared root-key.

While obviously better than having just 1 common shared password, why reintroduce this risk when you don’t have to?
1 comments
wnevets 1348 days ago
> That’s part of the design though. That’s what completely eliminates the ability to do phishing-attacks.

If the actual domain name is used to generate the key that would also completely eliminates the ability to do phishing-attacks. Paypal.com and PaypaI.com would generate two completely different keys.

link
stavros 1348 days ago
That's how hardware FIDO2 keys work now. There's no walled garden. You can remember a passphrase that generates a key that is used to derive every website's key in turn.

No cloud, no synching, nothing. You're fucked if your passphrase is stolen, but that's the tradeoff.

link
josteink 1348 days ago
It would mean that somewhere there is a common root, which if extracted, can derive all keys for all sites.

Why introduce such a risk when there’s no reason to do that?

link
wnevets 1348 days ago
If I can get access to your device to exfiltrate the private key that generates the domain specific keys, why wouldn't I also have access to the the randomly generated site keys? Your device needs access to the keys to use them.

In both cases your device has a private key that it needs to secure. In my scenario we remove the third party cloud service.

link
dwaite 1348 days ago
I can register an authenticator multiple times, for instance to represent multiple different accounts of my own, or represent multiple people on a shared device.

If I delete a credential, the expectation is that registering a new credential is not going to correlate the authenticator (and thus the user).

If I want to have hygiene steps of rotating the cryptographic key a user uses to log in, I won't want registration to create the same key pair each registration.

And for the cloud sync:

The UX can present that web authentication is an option to log in. The user will be confused if that option is presented for sites which will not recognize the authenticator.

The site can store data alongside a credential to be returned to optimize the log in process, such as a site-specified identifier to look up the user credential in a database. That state needs to be synchronized.

link
xg15 1348 days ago
Because then as a user you'd still have the ability to backup that key yourself and aren't at the mercy of $cloud_service_of_your_choice.
link