You use passwords, possibly dozens of passwords, to authenticate to websites daily. Passwords are a useful authentication tool because they function as a “thing-you-know” (a shared secret between you and the server) and because passwords can be changed (in case of loss, unlike say, your fingerprints).
In a diatribe against OpenID titled, “Goodbye, Passwords. [...]
Public wireless networks can be scary; you never know who might be sniffing your traffic, recording your GMail authentication cookies, or worse. Ideally, all of your net activity should be end-to-end authenticated and encrypted. Fortunately, since this is not always feasible, ssh makes it easy to use an untrusted network by routing your traffic through a trusted end-point. All you need is an ssh [...]
OpenID has been generating a lot of buzz this past month: OpenID is a decentralized authentication mechanism that allows a consuming web-site to verify that “you” can authenticate to a particular identity provider (keyed by a URL). Big names from AOL to SmugMug to WordPress have recently announced that they are being OpenID providers.
Why so many providers? For [...]
The concept of providing operating systems that are secure by default should be second nature to OS vendors. All major operating systems vendors have been affected by exploits that allow remote attackers to take over the computer and have realized that it is a bad thing: much better to reduce the possible avenues of attack as much as possible without relying [...]
Susan Hohenberger defended her thesis Friday at MIT. Susan’s thesis work is on developing secure algorithms for proxy cryptography. These are new cryptographic constructions that are designed to allow a third party, the proxy, to take a cryptographic object produced for (or by) a particular key and transform it so that it is a valid object for (or [...]
Today a few of us had lunch with Yoshi Kohno who is visiting MIT and gave a talk about his research on Monday. An important aspect of Yoshi’s research is the problem of translating theoretical security results into secure implementations. He gave an example of how the way that WinZip employed the theoretically secure encrypt-then-MAC paradigm of authenticated [...]
Boycott Performance Bike.
Performance is a company that sells bike components. They’re pretty big and have acquired their former competitors like Nashbar and SuperGo. That’s too bad because I really don’t like Performance. Maybe you shouldn’t either.
In 2001, Kevin Fu and I (along with some other members of the Applied Security Reading Group) were looking into the security [...]
.