crypto renaissance

Sep 21, 2013 eccentric-authentication

With ‘CryptoGate’ in full action, many people are trying to come up with a solution. Some good, many bad. Many people focus on the security aspect of cryptography. Although necessary, it is not sufficient. The thing most people take for granted is how to authenticate the other end of your communication channel. With PGP/GPG you need a web of trust to validate. WebID/FOAF tries to replicate that in HTTPS. These trust connections are public knowledge.

a subversive idea

Sep 5, 2013 eccentric-authenticationusability

In the previous blog The Holy Grail of Cryptography, we’ve shown how you can validate keys when you know the person. Once validated, that key enables the use of the secure channel. We’ve also shown how we can create a web site that lets total strangers communicate securely between each other. The web site acts as introducer, letting strangers exchange keys and provides the transport for the messages. Separate identity from transport Philosphically speaking, the secure channel is an abstract channel.

the holy grail of cryptography

Aug 31, 2013 eccentric-authentication

… is to create a secure channel in an insecure environment. A secure channel is where you can communicate with someone knowing that no one else can impersonate your communication partner. Knowing whom you talk to the is the most important aspect of all cryptography protocols. Even more than keeping the message confidential, or preventing people from learning who you communicate with. (Don’t get me wrong, these are very important.) Many great security protocols take it for granted that you already know who you want to talk to, so these designers focus on the confidentiality and anonymity aspects.

walkthrough datingsite

Jun 12, 2013 usabilitydating site

This blog gives a simple walk through “The world’s mode secure dating site”. It’s full of technobabble talk of how the security system operates. Feel free to ignore that at first reading. We assume that you’ve installed the ecca-proxy as described. If not, you’ll see some Don’t panic messages. We describe those later. Home page This is the url for the dating site. http://dating.wtmnd.nl/ If you enter this into your browser you’ll see this page.

run it yourself

Jun 7, 2013 eccentric-authenticationdating siteblog site

Safe, secure and as anonymous as you want. It was already possible to test drive the Eccentric Authentication Proxy. But it required you to compile software. Now we’ve flattend that hurdle (a bit). As of today we can offer the first download of our client software for Debian GNU/Linux. It might even work at other linux-distributions. The software is a local proxy service. It sits on your computer, receiving requests from your brower.

an end run around zookos triangle

Jun 2, 2013 eccentric-authentication

An end run around Zooko’s triangle Zooko’s Triangle describes three properties of naming systems. Zooko states that you can choose any combination of two properties but you lose the third. Zooko may be entirely right that a single system cannot overcome this limitation. However, using Eccentric Authentication in combination with other cryptographic systems we can do an end run around it. This way we overcome the limitations of a single system and reach our ulimate goal of: 1: Secure, 2: Decentralized and 3: Human-meaningful names on the internet.

we need better computers

Jun 1, 2013 usability

On the mailing list (libertationtech@lists.stanford.edu) Seth David Schoen wrote: Arvind Narayanan has just pushed a two-part paper in IEEE Security& Privacy about exactly this point: http://randomwalker.info/publications/crypto-dream-part1.pdf http://randomwalker.info/publications/crypto-dream-part2.pdf Narayanan argues that “a mis-alignment of incentives frequently occurs” to discourage the use of cryptography to protect privacy (particularly in the strongest end-to-end sense) and that there is minimal demand for protecting data against intermediaries and service providers. (I find this paper extremely depressing, but it does describe actual events.

Cryptographic same origin policy

Mar 23, 2013 eccentric-authentication

Using DNSSEC/DANE to protect your Javascript application against the threat of CSRF and CSS. Old fashioned Same Origin Policy Currently, browsers use the protocol, domain name and port number as a way to tell origins apart. It is used to tell browsers that some disjount group of servers belong to the same trust domain. In simple language: It tells the browser which servers belong to my web site and all other servers are ‘some one else’.

why we still use passwords

Nov 21, 2012 usability

Why we still use passwords Most articles about security and passwords make the trade off between security and convenience. The authors state that you can have it secure or convenient but not both. There is actually another trade off to make: the trade off between security and privacy. The world of cryptography knows of server certificates and client certificates. Server certificates allow users to verify that they are connected to the right servers and not to a man-in-the-middle attacker.

asimovs laws for security

Nov 9, 2012 usability

For any computer security to work effectively, you need to be able to trust your computer to put your interests above those of anyone else. If your cleaning lady can access any data on it while you are absent, it fails basic security. If you browse the web and it falls victim to a drive-by download and installs spyware, you’re hosed as well. If your computer detects that you do something that would jeopardize the security and privacy of your data on it, your computer should prevent you from doing it.