1. 2

    This is an interesting idea because you eliminate the possibility of indirect password compromises through password re-use. Unfortunately you replace it with a new point of failure in the form of your “secure channel”, but that point of failure is on the user end rather than the server, so it’s harder to compromise multiple users at once with a server-side data leak.

    I still think 2FA is more secure in general, but I can see the argument that this is a more secure single-factor than a password.

    I don’t like the active request-token workflow like a password reset, though. Something time based like [TOTP] (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) seems like a better idea.

    1. 2

      Two-factor auth is definitely more secure. Or at least it can’t possibly be less secure unless you really mess it up by e.g. sharing the password from the first factor using the second factor. But in general two factors will always be more secure than one.

      The idea is that if you are only implementing a single factor, it should be the “something you have” factor (i.e. a code sent to you over a secure channel or a TOTP as you suggest) and not the “something you know” factor.

    1. 2

      If you do this, consider that I don’t read my email on every device I browse the web with. In particular, it means I will never use your service from a friend’s computer.

      1. 2

        Yes, but perhaps we shouldn’t be allowing that behavior for a truly secure account anyway.

        1. 1

          You don’t have to read your email on your friend’s computer. If you have a smartphone, you can receive the one-time password in your smartphone email application, and then enter it into your friend’s computer. Of course, for this to work, the one-time password should be relatively short and easy to type (use base32).

        1. 2

          Can’t you return 408 here with an error message explaining you should delete your cookies? I agree it’s not ideal, but it at least warns the user.

          1. 1

            This is a good point, but shouldn’t you return 413 Request Entity Too Large? Or is that strictly reserved for requests where the body is too large?

            Seems like you could stretch it to mean the request in general is too large, including headers and the body.

            1. 1

              Assuming it’s for the HTML itself. If you can poison just the cdn domain hosting js/CSS, you can break the site in no obvious ways. Browser support for incomplete pages is pretty bad.

            1. 3

              @amb and I were just talking about what a privacy-focused phone would look like. Sadly, as with most Silent Circle products, this page and announcement are very light on details.

              One of the difficulties in creating a phone resistant to tracking is the cellular network itself. Law enforcement has many tools to track identity and local of users on a cellular network, none of which are affected by a phone’s operating system. I’m not sure how (or if) blackphone can subvert these systems.

              1. 2

                The cellular network is in no way designed for privacy. Another huge threat is the baseband processor; these often have DMA access; if an attacker has an exploit for this, your entire phone is accessible to them.

                1. 1

                  I think one way to avoid being tracked by the network would be to only use pre-paid SIM cards. Your location would still be tracked by the network, but if you pay for the SIM card in cash it would be more difficult to associate your network ID to you.

                  Of course, if you were truly paranoid about this, you would use a burner phone and not a smart phone.

                  1. 1

                    Your IMEI would still be the same when using different SIM cards, and I’m not sure if cell providers would take kindly to a device generating a new, fake IMEI every time it connects (ala ifconfig em0 lladdr random).

                  2. 1

                    The only way to protect yourself if you are worried about that level of privacy is to accept the fact that you can’t use a cellular voice or data network. Make all your calls over WIFI using anonymous hotspots and using all the privacy protection tools the internet has to offer.

                  1. 4

                    I am shipping the first version of Bolt that includes free calling to our alpha users tomorrow. Then I assume I’ll be fixing all the bugs they discover for the rest of the week.

                    Very very excited to get feedback on it so if you have an Android phone and are interested in trying out a new free calling app let me know and I’ll add you to the list.

                    1. 6

                      I am trying to reclaim the domain name (ctcten.org) of the foundation my family started in honor of my fiancee’s brother after he died in 2007. It expired due to out-of-date contact info, despite the fact that the foundation relies on that domain for email and web donations, and then was sold to someone in Japan in a private “auction” in which I was not allowed to participate. Name.com is the registrar but they aren’t being particularly helpful.

                      It’s not going well so far, since the foundation is small and doesn’t have formal trademarks. If anybody knows a trademark lawyer who has handled domain disputes before and doesn’t mind some pro bono work, I’d appreciate you getting in touch very very much.

                      For background, the foundation built a soccer field for elementary school kids in Khayelitsha Township outside of Capetown South Africa and sends an couple of interns over to run programs and leagues at the field every year. You can read more info on the temporary site we set up at http://ctcten.com.

                      1. 2

                        This guy is supposed to be very good: http://johnberryhill.com/

                      1. 5

                        This is a bit of an unfocused rant, but there are some good points. I mostly agree with the complaint about using javascript to unnecessarily break common user interactions. Don’t do that.

                        I have had JavaScript turned off by default (but with white-listed domains) for the last 3 years in order to make my setup more strange for anyone attempting script injection or cookie stealing.

                        Also I think it’s strange to click around the internet running arbitrary (albeit sandboxed) code on my machine. I don’t browse the Android or iOS app stores installing every app willy-nilly to see which ones are good either. I read reviews and check which permissions are required and then install once I’ve convinced myself of the app maker’s trustworthiness. This is essentially the same as putting a trusted domain in the JavaScript whitelist is it not?

                        1. 4

                          I’m really impressed with this, but then again I don’t do much reverse engineering.

                          Seems like the vulnerability in Snapchat could be mostly mitigated by preventing the MITM with the use of some kind of certificate pin within the Snapchat client.

                          I’m curious whether it’s common practice to pin the actual cert or to just pin the known CA cert to verify against? I think it’s enough to pin the CA cert for most applications, since you are already implicitly trusting your CA not to grant a cert representing your entity to another party. Using a self-signed certificate and pinning it would also be a solution I think.

                          But if you are a mobile developer using HTTPS for network communication I’d be interested in what you have implemented.

                          1. 3

                            You’re correct about the two possible solutions. Moxie wrote a great article explaining how to do this for Android applications.

                            The choice of using a self-signed certificate or trusting a single CA certificate depends on the traffic profile of your application. If your application only talks to servers that you control, it’s in your best interest to take the time and generate self-signed certificates. If your application needs to talk to servers outside of your control (such as a browser or IM client), trusting a single CA certificate is the way to go.

                            1. 1

                              If the server is out of your control even pinning the CA cert is a little risky. The owner could install a new cert signed by a new CA at any time. I would recommend against this unless you have some assurance from the service provider that the CA won’t change.

                              1. 1

                                I believe you could work around this by trusting a wide set of known, good CAs. Basically whitelist all the legit CAs - So if the owner changes from Verisign, to Digicert, for instance, you won’t have to change anything. But it does prevent someone malicious from trying to install an self-signed CA.

                          1. 5

                            I’m really excited to see what domain I get. I’m making a pledge to build a website with the domain I get. Anyone else want to join me?

                            1. 4

                              I hope you get mine so that I can see you fulfill this pledge.

                              I can commit to at least putting a landing page up with the domain I get.

                            1. 2

                              We want to call internationally without paying a small fortune. We want to block unwanted calls. We don’t want a new number every time we switch carriers.

                              I had to double check the date on this post. Many countries in the world have had local number portability for years. In the US, since the late 90s. Also: SMS, VoIP, Skype, FaceTime, iMessage, etc.

                              1. 1

                                Yeah, it’s unclear what “bolt” plans to sell.

                                1. 2

                                  We plan to sell you a phone number and a replacement for your carrier voice and messaging plan that runs over the IP network, either WiFi or a carrier data plan.

                                  1. 1

                                    Like republicwireless.com but with my Phone?

                                    1. 1

                                      Precisely.

                                2. 1

                                  Yes, it’s true that number portability is a thing, and even legally required in the US. But there is still significant friction.

                                  I happen to be the founder of Bolt, so take this anecdote with as many grains of salt as you want. But last weekend I spent 45 minutes in an AT&T store with my mom trying to port her number from Verizon. We had all of the requisite info, and the rep who was helping us must have entered it all into his porting iPad app 5 or 6 times with slight variations each time.

                                  We then got on the phone with Verizon, still sitting with the patient AT&T rep, to confirm all the info. All info was correct. Back to the app to try a couple more variations. Finally had another rep come over who thought to back all the way up to the beginning and figured out that we were attempting the port in the wrong market. My mom has a DC number but we were in a store in Philadelphia.

                                  Even after discovering that, the iPad app refused to let us switch the market to DC. So we moved over to a desktop PC and after 10 more minutes of fiddling with that the port finally went through.

                                  After it was all said and done my mom and I were exhausted and she told me she never would have had the patience to persevere without me there.

                                  I don’t think this is uncommon. Number portability is a half-solution to the problem that carriers are generally terrible and try to lock you in. Phone number lock-in was the most obvious way, but there are many others.

                                  And even when you can port, there are often restrictions. For instance, I think it used to be true that on certain carriers you couldn’t port into a pre-paid plan, only contract-based post-paid plans.

                                1. 1

                                  I love the confession about marketing. I too would rather think about how to increase my product’s conversion rate than how to make use of some newfangled technology to squeeze an extra 1% performance improvement out of a search algorithm. Unless of course I have data showing that each 1% improvement in search performance leads to a 10% increase in conversions.

                                  1. 3

                                    I used to think that Ruby on Rails was a great tool for building your first web application. In 2008 it was what I used to get my first app off the ground. But either it has changed too much or I have changed to the point where I no longer believe Rails is the best educational tool.

                                    Rails' magic can be useful, and it’s certainly “cute” in a lot of ways. But when you tell beginners that naming things a certain way or putting a file in a particular location will make their app “just work” without explaining what’s going on you do them a disservice. A perhaps unintended consequence of “convention over configuration” is that all programs start to look like configuration when you stick with all the conventions.

                                    1. 3

                                      RailsGirls has been demonstrating the opposite, lately. While it’s true that you have to skim over some things to get started, the power of having SOMETHING up at the end of the day is super-motivating. Rails + Heroku lets you do that.

                                      1. 2

                                        There’s nothing particularly special about Rails in that regard though. Sinatra and Heroku would let you do that. PHP and Heroku would let you do that. Python and AppEngine would let you do that. And you’d probably know a little bit more about HTTP afterwards too.

                                        1. 3

                                          No, Sinatra forces you to do too much low-level work; it’s why Ruby is better than C, for example, even though you don’t know quite as much about how CPUs work, you get something going, which is better motivation for most beginners.

                                          This is something I had to un-learn, as I tend to be a bottom-up kinda learner. Most people are top-down.

                                          1. 2

                                            We’ll have to agree to disagree. I guess the only way I can really prove that my belief is accurate is to develop a web application training course built on Sinatra that is just as easy and fun as getting started with Rails. That actually sounds like a pretty fun project.

                                            I will say this though. I think even though you know that Sinatra requires “low-level” work, to a beginner it’s all low level work. If you tell someone to put a line in a routes file, put a controller in the controllers dir, and then put a template in the views directory, to a beginner that’s no more or less “low-level” than telling him or her to put a template in the public dir, and then write “get ‘/’ { erb :index }” in their Sinatra app file.

                                            1. 3

                                              That’s fine. I do Ruby and Rails training professionally, as well as volunteer, and discuss these things with many people that do. Empirically, according to our collective experiences, you are wrong. But I don’t have any studies for you, so we’ll just have to leave it as competing anecdata.

                                              1. 1

                                                Is that because Sinatra doesn’t have generators? Otherwise the beginner webapp you’d build (build reddit in a day!) would not differ much between the two frameworks. That lack of robustness, by intuition, should be more appropriate for a beginner setting (if you’re teaching process and not specifically trying to teach rails) to introduce the concepts. That said, I’d say you probably do want to add something to Sinatra to make it appropriate for beginners, but you’d not have to add much, and if one agrees with that point then what would that addition be?

                                                1. 3

                                                  Yes, generators help quite a bit. Not only do they accelerate the pace of getting something going, the code they spit out is inherently correct; which means a lot less syntax error style stuff at first. Especially given the fact that you’re generating Ruby, JS, CSS, and HTML.

                                                  I haven’t fully given it a ton of thought, I just know I’ve seen much greater success with rails-based courses, and it seems to be predicated on the speed that you see some sort of useful result.

                                      2. 3

                                        @amb, I still think Rails is a good educational tool (in my limited experience). The value of getting something built provides that first “programming high” and drives you to want to keep chasing that high by learning and building more.

                                        Having said that, I’ve experienced that the out-of-the-box functionality of Rails is a blessing and curse. I discussed it in a Ruby Rogues Ruby Nuby video. It makes Rails very powerful and also confusing when you need to understand the nitty gritty functionality.

                                        1. 2

                                          I’m not saying Rails isn’t a good educational tool. It is certainly working for a lot of people. But to determine whether it is good or not we need to decide what the goal of this education is.

                                          I am suggesting it is not the best tool to teach “programming.” It is a pretty good tool for teaching “web application development,” although I have disagreements with the way most curricula are built using it. So much of what you do when setting up a Rails app, at least the way “beginners” are told to, is stuff like “change the value in this YAML file” and “run this generator.” That’s not programming.

                                          I’ve volunteered as an instructor at a few RailsBridge (http://workshops.railsbridge.org/) events and I really dislike how little people are actually understanding about what’s going on, because damn isn’t it just so easy to put some pretty pictures on the screen, i.e. “get up and running.” In order to get through the material, I have to wave my hands way too much for my comfort.

                                          Anyway I don’t have anything better to recommend at the moment, but I am now seriously considering putting together some material based on Sinatra.

                                          1. 1

                                            Unless we’re talking about traditional educational systems, where students are required (forced) to learn fundamentals, I don’t think others in my situation would have the stamina/desire/interest if they didn’t get to build and interact with programming immediately.

                                            To use an analogy, I could learn everything about wind patterns, kite design, and forces before ever going to fly a kite, But, would I have the drive to do so if I’ve never even felt what it feels like to fly one? I think we need that tangible feedback to drive further exploration and learning, when it comes to programming.

                                            1. 2

                                              No one is arguing that letting people see the results of what they’re building quickly is bad. However, in most sciences, the fundamentals are extremely important. @amb isn’t advocating constructing the natural numbers from the Peano axioms. He is advocating teaching how to add before how to multiply.

                                      1. 1

                                        I have three Chromebooks, but this is the first one I’ve actually recommended to anyone in my family. It’s not so much about the hardware. More just that it’s now actually becoming reasonable to have a computer that’s only a web browser.

                                        1. 1

                                          I suppose this is an interesting piece of work, but I doubt many people are using node.js to terminate ssl/tls. If you have any static content to serve you will have nginx sitting in front of your node application server and it will terminate ssl for you.

                                          1. 1

                                            I think if we’ll made node.js as fast at SSL termination as nginx is, there’ll be no point in using external terminator in front of node.

                                            1. 2

                                              There is still a point if nginx is faster at serving static content. At the moment I don’t think anyone is making the claim that node is faster there.

                                              But if you are running a service without static content then yes, you would be able to just use node.js directly without nginx in the middle.

                                              Unless you have a load balancer that terminates ssl, in which case you don’t care at all about the ssl performance of your application server.

                                              1. 2

                                                you’re right, but on other hand many people are using CDNs for static content and dedicated server for all dynamic stuff. So having fast dynamic server that works good w/o termination is fine too.

                                          1. 3

                                            This is something we’ve considered at Twilio and might yet still implement. As you suggest the OPTIONS method could have a lot of potential as a foundation of self-documenting HTTP APIs. The other way (and arguably the right way) is to use a real hypermedia type that is capable of self-description for your resource representations. Something like atom or even just html is much more expressive than json.