Still working on my secure login without HTTPs. My non-comprehensive list of desired qualities:
- Never send password in a reversible encoding.
- Try to avoid replay attacks and session hijacking.
- Protect against brute force attacks on intercepted data.
- Protect against browser plugins.
Progress is coming along nicely. The authentication and validation steps are working, which means I have a functioning system. Next I need to exercise it and make sure it works in practice.
Hacker News is interesting because the community will periodically promote some anti-community ideas to the top. I was encouraged to see a cautionary bitcoin post in the top spot this morning.
Read the article, think for yourself, then read the comments.
Predictably the top comments attack technical details; in the process missing the message.
I'm strongly of the opinion that Bitcount will not end well. It has the bad qualities of gold, including a cost of mining. It has no central bank to help it, which some may celebrate now, but wish they had later. Unlike gold, which continues to be mined, there are a fixed number of eventual bitcoins. This is not good. Bitcoin is misunderstood by most holders. Holders don't use it as currency very often. And the list goes on.
I've decided to relaunch my website. I wanted to create a space that had more room, and is easier to fit complex examples into. In that spirit I have abandoned columns and for now I'm writing static HTML.
The Projects page has been updated to show some of the things that I have been working on. There is a lot more in the works.
If you haven't heard, I recently left BlackBerry for a software startup. We work in the cryptography space. I look forward to sharing more about that soon.
My previous blog was custom written, and I learned a lot while building it. Armed with newly minted knowledge about secure systems, I plan to implement my new blog with some interesting security considerations. To avoid increasing my hosting costs, I endeavour to make something I can feel confident using without HTTPS. When it's done I will describe how I did it.