authentication - Dave's Blog

Search
My timeline on Mastodon

DSL modem hack used to infect millions with banking fraud malware | Ars Technica

2012 Oct 1, 6:33

According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.

The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

PermalinkCommentstechnical security html router web dns csrf

Stripe CTF - Level 7

2012 Sep 13, 5:00PermalinkCommentshash internet length-extension security sha1 stripe-ctf technical web

"Additional HTTP Status Codes" - Mark Nottingham, Roy Fielding

2011 Nov 14, 7:51

Includes ‘511 Network Authentication Required’ for airport/hotel/coffee shop scenarios!  Am I too excited about this?

PermalinkCommentstechnical ietf http http-status-codes

Yahoo! Accepts OpenID Authentication with Google

2010 Oct 28, 6:32PermalinkCommentsOpenID Second Level Features YDN Theme Categories technical

draft-nottingham-http-portal - The Network Authentication Required HTTP Status Code

2010 Oct 4, 2:05Proposed 428 HTTP error code for hijacking proxies to indicate to the client the user needs to login to the network etc. Glad to see this one's finally happening.PermalinkCommentshttp http-status captive-portal hijack proxy authentication technical rfc reference

Aza’s Thoughts » Identity in the Browser (Firefox)

2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!PermalinkCommentsfirefox browser identity web mozilla security authentication openid

Official Google Blog: Cutting back on your long list of passwords

2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites."PermalinkCommentsidentity openid google security authentication facebook password via:connolly technical

InfoQ: HTTP Status Report

2009 Apr 29, 12:34"In this presentation, recorded at QCon San Francisco 2008, HTTPbis WG chair Mark Nottingham gives an update on the current status of the HTTP protocol in the wild, and the ongoing work to clarify the HTTP specification."PermalinkCommentshttp httpbis protocol ietf reference video authentication cookie uri url tcp sctp mark-nottingham via:ericlaw

Gravatar - Globally Recognized Avatars

2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they upload. Lots of plugins for different blogging platforms.PermalinkCommentsblog web photo avatar image authentication identity icon hash

It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards can be revoked and replaced. How do you revoke a finger?"PermalinkCommentsarticle microsoft security identity authentication biometrics

IMAGINATION -- image-based authentication: Step 1

2008 Apr 24, 9:41This is a CAPTCHA in which you must id the center of subimages in a collage and then choose the correct caption for a second a photo. It took me seven tries to click close enough to the center of a subimage. I'm human I swear! Lame implementation.PermalinkCommentscaptcha image security

Welcome to OpenID Enabled!

2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."PermalinkCommentsphp openid development opensource identity authentication api software server library

FOAF and OpenID: two great tastes that taste great together | Decentralized Information Group (DIG) Breadcrumbs

2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.PermalinkCommentsfoaf openid authentication identity rdf semanticweb trust web spam

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

2007 Sep 11, 12:01PermalinkCommentshack hackers crypto cryptography security blog article hash password authentication via:swannman

Using public keys for SSH authentication

2007 Mar 19, 3:13Documentation on setting up SSH to use keys.PermalinkCommentssecurity ssh howto key publickey putty

The Undevelopment Blog - Collective Identities Anybody?

2007 Mar 13, 3:54A blog article on creating group OpenIDs.PermalinkCommentsopenid authentication group privacy blog article

Free, anonymous, temporary, disposable OpenID by Jayant Gandhi

2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.PermalinkCommentsanonymous authentication openid identity privacy

Implementor's Draft: OpenID Authentication 2.0 - Draft 11

2007 Mar 13, 3:53The OpenID SpecificationPermalinkCommentsopenid authentication specification security

OpenID: an actually distributed identity system

2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.PermalinkCommentsauthentication identity openid security specification privacy

OpenID Stolen Thoughts

2007 Mar 13, 7:57I had a few thoughts after reading about OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
Anonymous OpenID
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID associated with that URI. This has already been implemented by Jayant Gandhi.
Group OpenID
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
OpenID Normalization
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID specification.
I guess I'm a little late to the scene.PermalinkCommentstechnical stolen-thoughts openid
Older Entries Creative Commons License Some rights reserved.