Ask HN: Why aren't we using SSH passphrase keys for website logins?
$ hostname.org.com
And I'm in. I'm in without specifying credentials every .. single .. time .. because I use SSH passphrase keys, with a passphrase.
I can do that because I took the trouble to setup my ssh key and copy it to my server's $HOME/.ssh directory, performed a little magic on it.
...
I had this thought the other day, when I was logging into gmail and work-help-desk and work's erp platform and the EDI tool .. all of it web based and all of it requiring me to specify userid/password ... why don't we do SSH passphrase keys for websites?
That is, a user would ..
- create a key - push it to the web server - when you login, web server looks for that key and ... you're in.
This - to me - would seem to be a lot easier than what we do now.
Inside a company we require a lot of userid/password keystrokes, one per application. Even with SSO (via LDAP or whatever) we still require these keystrokes.
In the wild internet to either remember userid/passwords, or store them in your browser, or use an add-on for that purpose. We're still using userid/password and that sucks, when you could simply point the login at your key and bang out a passphrase.
But we don't do this. The reason is probably simple, but I'm just not seeing why.
21 comments
[ 2.1 ms ] story [ 56.5 ms ] threadKeeping the private key on a third party host would negate the whole point of _having_ a private key. I suppose one could dodge this by encrypting the encryption, or have it stored 3rd party and then download it where you need ...
But that's two sides of the same coin. And making it way more complicated than userid/password.
Which right there is enough to make the entire deal unworkable. Dang.
Thanks.
An issue with those is that's just one more thing to keep track of. And, hardware costs money, and that's just one more thing to keep any solution from being adopted.
This isn't an answer, but: password managers like LastPass can do this for the web. I let it generate secure passwords like "e^9u21$Fb%mJv"--in fact I don't know most of my passwords, it logs me in automatically, I just authenticate once with a passphrase. Highly recommended (integration with most browsers, other security features, see the website); definitely worth a look for the interface considerations alone.
The answer: it's probably too hard to get there from here now. Too many changes to UI's, re-education of users, and really they don't care if you have to type in a password every time or click an extra page.
Look at the popularity of decentralized private/public key trading with (e.g.) PGP. NOT. Sure, the paranoid elite have learned how to use the keyservers and mixmaster remailers, but there needs to be a killer UI that's simple enough (or maybe just smarter than the user) before people.. will... post to facebooks with it?
Client SSL certificates were supposed to be a thing once back in the 90's--everyone would have one, it would identify you to your bank uniquely, and everyone would be secure. I'm pretty sure the protocol still allows for it, but I think I only saw one website use/require it, and not sure it was this century.
Haw. At a previous employer, in 2001, we started a project to deploy PGP to everyone. The idea was we could encrypt our work, email, send files to customers ... the boss was _keen_ on the idea. Our customers liked the idea, some of them.
We were acquired and our new owners were lukewarm to hostile about the idea and it was dropped.
> but there needs to be a killer UI that's simple enough (or maybe just smarter than the user) before people.. will... post to facebooks with it?
I think that's the key, right there. Make it simple, easier to use than userid/password.
http://pilif.github.com/2008/05/why-is-nobody-using-ssl-clie...
I don't think it needs to be this way. A lot of tasks that we ask users to perform are out of their knowledge scope. We gussy them up with dialog boxes like
'It looks like you've lost your network connection, would you like me to repair that'
And then Windows goes out and does an down/up on the network card, reapplies for an IP and I don't know what all.
To the user, the computer pauses for a minute, the computer notifies 'You're up, back to pr)n surfing' and away they go.
> The HTML keygen element exists to facilitate generation of key material, and submission of the public key as part of an HTML form. This mechanism is designed for use with Web-based certificate management systems. It is expected that the keygen element will be used in an HTML form along with other information needed to construct a certificate request, and that the result of the process will be a signed certificate.
If that's not what you meant please clarify
I didn't mean cookies.
I meant the process of -getting- a cookie. I supply userid/password to the website, get a cookie.
Granted, once I have the cookie I'm good.
But ... what I feel I _should_ be able to do is supply a key to the web server, same as I supply a key to my unix hosts to login.