[liberationtech] Demos of eccentric-authentication

Guido Witmond guido at witmond.nl
Wed Aug 14 01:33:26 PDT 2013 

Hi Francisco,


On 08/13/13 22:37, Francisco Ruiz wrote:
> Hi Guido,
> 
> This looks very interesting, but I have trouble understanding it. Can
> you give me a sample URL where this is being shown in action?

Thank you for your interest.

The protocol is still in the proof-of-concept phase.

I've a few demo sites:

1. The first shows that with a simple web proxy (at the clients'
computer) users can create client certificates more easy than creating
passwords accounts.

It's the 'Favorite Number Site' at https://www.ecca.wtmnd.nl/ (I use
numbers instead of text to avoid blog-spam, otherwise, it would be
prototype blog site).

If you go to that site, you'll get scary certificate warnings as the
certificates are signed by my own CA. The CA is specified in DNSSEC, to
validate it. The proxy takes care of al the crypto, including validating
the server certificate against DNSSEC.


To use the proxy, download the ecca-proxy binary (and run it in a Debian
64 bit VM).
Run it. And configure your browser to proxy http (not https) to
localhost:8000.  Then browse to the site with http://www.ecca.wtmnd.nl
(not https). It's the proxy that does all the crypto-stuff.

When you're done, close the proxy and run:
	$ sqlite3 eccadb.db
	  SELECT * FROM accounts;
	# there are your X509 certificate and private key.


2. The second demo uses the same proxy. Start it up again and point your
browser to http://dating.wtmnd.nl:10443/
It's an showcase of both anonymous login and secure messaging between
two total strangers.

If you click 'The Aliens' and then choose 'guido@@dating.wtmnd.nl' you
can write a message to me. Your instance of the proxy fetches my
certificate and public key and encrypts the message. Not even the site
operator can read the message.


Check out the "Walkthrough of the Datingsite" [0] blog entry on my site
to get an idea.

To run the proxy: click the "run it yourself" [1] blog. Or use the
source on Github.

I don't have any demos on the Cryptographic Same Origin Policy yet, as
that requires some changes to browsers. With some funding (or
volunteers) I could create a Firefox Fork to demonstrate that.



Guido.

[0]:
http://eccentric-authentication.org/blog/2013/06/12/walkthrough-datingsite.html
[1]:
http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.html



> On Mon, Aug 12, 2013 at 4:34 PM, Guido Witmond <guido at witmond.nl 
> <mailto:guido at witmond.nl>> wrote:
> 
> Dear professor Ruiz.
> 
> 
> The real issue is to create an *easy* way to do hash validation 
> correctly. Reading a hash on youtube is not going to make it.
> 
> You use HTTPS without DNSSEC and DANE. Please use those first. It 
> solves a lot of your server validation issues. At least it allows 
> your users' browsers to validate code44.com <http://code44.com>.
> 
> I repeat: Hashes are for computers, not for people.
> 
> 
> 
> Plugging my own warez: I believe I've come up with a way to do DNSSEC
> and DANE in combination with a certificate repository. It allows the
> browser to validate the authenticity of a server certificate.
> 
> When validated it can be sure that the javascript found at a page is
>  indeed that what the page-author wanted. Please see: 
> http://eccentric-authentication.org/blog/2013/03/23/Cryptographic-same-origin-policy.html
>
>
> 
> 
> And please ask if anything is unclear. I love to receive comments on
>  where I'm right or wrong.
> 
> Regards, Guido.
> 
> 

> 
> 
> 
> -- Francisco Ruiz Associate Professor

More information about the liberationtech mailing list