SoylentNews is people
SoylentNews
Worries arise about security of new WebAuthn protocol:
A team of security researchers has raised the alarm about some cryptography-related issues with the newly released WebAuthn passwordless authentication protocol.
WebAuthn was officially launched earlier this year, in April. It's a standard developed under the patronage of the World Wide Web Consortium (W3C), the official body for all web standards.
The protocol was based on the FIDO 2.0 Web API, donated to the W3C by the FIDO Alliance, an industry consortium that includes some of the tech world's largest companies, whose role was to create interoperable authentication methods and standards.
But at the end of last month, the team of security researchers at Paragon Initiative, known for their strong background in cryptography, have taken a close look at this new protocol making its way into browsers like Chrome, Edge, and Firefox.
In a security audit, researchers say they identified various issues with the algorithms used to generate the attestation keys (signatures).
They point out that the W3C WebAuthn specification recommends the use of outdated algorithms such as the FIDO Alliance's Elliptic Curve (EC) Direct Anonymous Attestation (DAA), or RSASSA-PKCS1-v1_5.
The Paragon team detailed a long list of issues with both algorithms in a technical report, here, but in short, they are vulnerable to quite a few known cryptographic attacks. In particular, they took an issue with the use of RSASSA-PKCS1-v1_5.
"PKCS1v1.5 is bad. The exploits are almost old enough to legally drink alcohol in the United States," they said.
(Score: 5, Interesting) by The Mighty Buzzard on Monday September 10 2018, @12:44PM (1 child)
Yeah, I would never use it on any site I coded for anyway. You're not only outsourcing login security to a third party, you're also helping them build a tracking database of your users.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday September 11 2018, @06:02PM
Thankfully, this one isn't quite as bad as OAuth. You can run your own authentication server just for your own sites and it isn't as prone to social engineering.
However, I 100% agree with you when it comes to OAuth. Not only do you hand off your login security to a third party, but you also train everyone (especially the dumb and lazy ones that wouldn't be as vigilant for warning signs), to type in there username and password for the proverbial keys to the kingdom on random websites. How many of them actually look at the address bar (if it is even present, as many app webviews don't show it) to make sure they are on the right site before logging in?
In the end, I think this is really a way for the big companies with OAuth services (Google, Facebook, etc.) to help prevent their users from getting phished, thanks to the above-mentioned user training, and general password reuse. The actual gain of tracking is small (unless they removed the part about domain name hashing in the spec).