Authentication on the internet is fundamentally broken. Weak passwords, password reuse, data leaks and untrustworthy third parties tracking us while they log us in are the unfortunate reality right now. One man decided to single-handedly fix this mess.
On this episode of The Private Citizen, we take a look at a very cool idea that could solve the security and privacy issues of password-based logins on the internet. Let’s face it, it will never get adopted widely. But it is still a really cool solution that’s incredibly clever and well designed.
This podcast was recorded with a live audience on my Twitch channel. Details on the time of future recordings can usually be found on my personal website. Recordings of these streams get saved to a YouTube playlist for easy watching on demand after the fact.
Problems with Authentication on the Internet
Authentication on the internet today is a mess. People either use the same password everywhere, use really weak passwords or rely on email to recover access to sites. This creates single points of failure that, once a hacker gets in, means they have access to everything. People don’t realise that their whole digital identity is tied into a single email account and the security they have in place there.
Some people use password managers but that isn’t an optimal solution either.
Even worse, single-sign-on systems put too much power in the hands of another party. They can mess up and compromise us or they can use that power to cut off our access to accounts on other websites. What happens if you use Twitter to sign into everything and then they ban your account because you happened to disagree with the WHO on something? Or do you want to use Facebook to sign into other websites? A company that makes a living of tracking your every move and then presumes they need to educate you on what they think are your or your friend’s extremist tendencies. Maybe not the best idea.
We need an alternative.
SQRL in a Nutshell
SQRL (Secure, Quick, Reliable Login) is an open standard for authenticating with website and web services developed by Steve Gibson of the Security Now podcast.
With SQRL, a user has a master password that unlocks an ID in his or her local client. When the user wants to authenticate to a site, the client creates a Curve25519 public/private keypair based on the master ID, a hash of the site’s URL and a nonce (called “the nut”). The public key is sent to the server, which then asks the client to sign a message. Thus, the client proves its identity without the server having to store any secret data – a so-called zero-knowledge proof.
The server does not store anything secret (the private key is public and can be freely shared) and is thus not vulnerable against hacking and data leaks. This works because, unlike with factoring prime numbers, the Curve25519 keys chosen do not need to be random.
At first, only the URL is signed this way, but later, all of the information sent back and forth gets encrypted with new keys generated with every query, providing a ratcheting of keys that protects the security and integrity of the communication channel.
Users can log in on one device (say a desktop PC) by using another device (say a smartphone). This works by visiting the server URL on a device that has an active SQRL client the user has logged into. The URL can include a nonce to tell that client to authenticate the original session. This can be done, for example, by wanting to log in on a PC and scanning a QR code on a phone with an active SQRL client. Thus you just logged in on the PC without even touching the keyboard – defeating keyloggers on the PC, for example.
SQRL shifts a lot of the responsibility for secure authentication from the user (having to remember passwords) to the operating system implementation of the client (doing some more-or-less heavy crypto lifting). The user can have a lifelong SQRL ID, but there are ways to reset the ID (re-key) if something gets compromised. This is based on a printout of a rescue code that is generated when you first create an ID. Sites automatically disregard old IDs once you visit the site with a more recent one. Thus, you can take control of your identity back from a potential attacker simply by logging into the site. There is also a way to transfer an ID via a QR code or via text code blocks.
SQRL has now been around for few years and there are a number of implementations available. It uses libsodium for its crypto operations and the way Steve has implemented this seems to be solid. All SQRL does is computationally answer a challenge, so the user’s ID is not tied to a site identity of that user per se. In fact, one can have pseudonymous IDs by just adding a hashed string to the URL when keys are generated. That creates a completely different identity each time, because of how hashing functions work. There’s also a method to invite other SQRL IDs to an account belonging to your ID (managed shared access), which facilitates account sharing. This has to be specifically supported by the server, though. There’s also ways to federate authentication with one SQRL ID between sites with multiple different URLs.
To sum it up, SQRL’s key features are:
- No secrets stored on the server, nothing to leak
- Security fuckup on one site can’t influence other accounts
- No third parties involved, no site can shut off access for other sites
- Only one password to remember
- Strong crypto throughout
- Security on a protocol level, you do not have to rely on thousands of individual sites to get it right
- Nothing tying your login to personal information (name, email, etc.)
Producer nurinoas says in response to episode 82:
I was catching up during holidays. What I liked about this episode was the anti-military tone which finished with the info that military vests are very good for carrying steel plates. Exactly the humour needed to bear this situation.
Steve Bavalis writes a long email with a boots-on-the ground report of pandemic restrictions in Canada:
Hello again, Fab. It is the formerly anonymous Canadian again. Due to a career change, I no longer have to worry about being anonymous, but I still encrypt all my emails, because fuck Google, Cloudflare, the NSA, and the rest of the wankers.
I am currently busy this week working through all the episodes I have missed, dating back to the beginning of April. Wow, there is a lot of really great content in there. I need to start taking notes when I listen to them, so I can remember the shit I wanted to say.
It seems that Canada and especially the province of British Columbia are going to hell in a hand basket over here. We have a few hundred forest fires on the go, and a couple of small towns have burned to the ground. I’m not too sure where our provincial Premier is, he is doing a pretty good job of hiding, but our federal Prime Minister has taken this opportunity to call another federal election for the end of next month.
Our Prime Minister managed to take the time to come visit our province, and serve beers in a bar. He was too rushed for time to check out the issues that we have going on, but he made sure to pose for some campaign photos in the city. Here is an article with a video showing his warm reception in the province.
Our provincial health officials have not been in hiding, although many currently wish they would go into hiding. For almost the last two months, life had returned to normal. You would see the odd person wearing a mask, and some stores still had hand sanitizer available, but that was it. And then Monday happened, and they announced vax passports for the province. Starting just a week before the day of the federal election, we will be required to show at least one vaccination to be able to enter most non essential public places, and sometime in October (I forget the date) we will be required to show two vaccinations for those places.
In addition to the regular rights issues that come with the mention of vax passports, there are some additional issues that come with this particular one. It seems that our health officials have acknowledged that there are people that are medically unable to be vaccinated, however, they have declared that no exception will be made for these people. If you are medically unable to be vaccinated, you know, because you don’t want to die from the vaccination, you will not be able to get a vax passport, and you will be denied access to these places and events. And just like the rest of the world, the best part is that even though there are no exceptions, children under 12 do not require vaccination or passports. The no exemption also applies to religious reasons too, which was a protected right up until Monday. The logic…
Needless to say, there has been a lot of talk and action happening around this. Sites have popped up where people can register their business as not following the vax passport policies. One of the groups that I have watched form this week has over 72,000 members as of this moment. This site has a lot of info available, including some legal standpoints from a Canadian constitutional lawyer, and a liability form that can be given to your employer if they are pushing you to get vaccinated. I am not a lawyer, so I am not going to comment on that.
And then Tuesday happened, and late that afternoon they announced that masked would be mandatory again the next morning. So there we go, Wednesday morning, all businesses required masks for you to enter. But the problem arose that very few of the businesses had been stockpiling masks once the mask mandate was removed, so most businesses did not have masks available for customers. One would think that the government would be able to give a little bit of a heads up on this, but maybe it surprised them too? One thing is for sure, it would be fair to think that if the issue was so dire that a no notice immediate mandatory mask mandate and a vax passport had to be implemented, that maybe the border would be shut down again too. But oh, the logic hurts my head, tourists from out of province and out of country are everywhere in my small town. Wednesday evening I went out to try have dinner after working late and half the restaurants were closed due to the newly imposed mandates, and the other restaurants were full, with their parking lots full of out of province and country license plates. Hell, we even have a carnival happening this weekend.
This brings us to the current rumour spreading among the “conspiracy theorists”. What if the vax passport that is kicking in just prior to voting day blocks non passport holders from being able to vote? Currently our government says that they will not declare the polling stations a passport zone, but they also previously declared that they would not create mask mandates or vax passports. The really unfortunate part is that every time the government has stated they would not do these things, they then turned around and did them. And every time someone was labelled a conspiracy theorist for claiming that the government would do these things, they ended up being right.
One would think that blocking citizens from participating in a federal election would nullify the results of the election, but many people no longer have faith in our government to do the right thing, driven by the fact that the federal ethics commissioner keeps finding our government in ethics breaches and scandals. The federal government is really pushing mail in voting this time, and has stated that it may take two weeks after the election is finished to count all the mail in ballots. One only needs to look south of our border to see the issues and distrust in the mail in ballot system there, and when you combine that with the issues our government run postal system has with getting mail delivered, it does not inspire any faith in the system. Amazon routinely lists one month for delivery by post now, and it frequently takes that for me to get my items, that were shipped from my province. Anyways, sorry for the long feedback and keep up the good work.
If you have any thoughts on the things discussed in this or previous episodes, please feel free to contact me. In addition to the information listed there, we also have an experimental Matrix room for feedback. Try it out if you have an account on a Matrix server. Any Matrix server will do.
Toss a Coin to Your Podcaster
I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.
You can also support the show by sending money to via PayPal, if you prefer.
This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.
Thanks and Credits
I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show. This is why I am thankful to the following people, who have supported this episode through Patreon and PayPal and thus keep this show on the air:
Georges, Steve Hoos, Butterbeans, Jonathan M. Hethey, Michael Mullan-Jensen, Dave, 1i11g, Michael Small, Jackie Plage, Philip Klostermann, Vlad, Jaroslav Lichtblau, ikn, Kai Siers, Bennett Piater, Fadi Mansour, Joe Poser, Dirk Dede, tobias, m0dese7en, David Potter, Sandman616, Mika, Martin, Rhodane the Insane, Rizele, avis, MrAmish, Dave Umrysh, drivezero, RikyM, Barry Williams, Jonathan Edwards, Cam, Philip, Captain Egghead, RJ Tracey, D, Rick Bragg, Robert Forster, Superuser, noreply and astralc.
Many thanks to my Twitch subscribers: Mike_TheDane, Flash_Gordo, jonathanmh_com, Sandman616, Zenith252, centurioapertus, m0dese7en_is_unavailable, l_terrestris_jim, BaconThePork and Galteran.
I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.
The show’s theme song is Acoustic Routes by Raúl Cabezalí. It is licensed via Jamendo Music. Other music and some sound effects are licensed via Epidemic Sound. This episode’s ending song is Racing Hearts by Mattie Maguire.