DNA companies should receive the death penalty for getting hacked | TechCrunch::Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality – our most intimate, personal information might

  • @[email protected]
    link
    fedilink
    English
    01 year ago

    Public Key Auth =/= TLS/SSL =/= Passkeys.

    TLS/SSL is one implementation of public key authentication.

    Passkeys is a different implementation of public key authentication.

    That fact that there are flaws in the TLS/SSL implementation of public key authentication does not equate to those flaws being present in the Passkey implementation of public key authentication.

    Just because a tool was used poorly once, doesn’t mean it’s always used poorly.

    Passwords MUST be transmitted to the service in a form that the server accepts as valid, every time authentication is requested. This can be captured and re-sent in exactly the same form it was originally sent to the server. Be that plaintext, or a hash. Hashing a password is almost always done on the server side before storage, or before comparing to the stored hash. If it was done by the client, an attacker would never need to get the plaintext password, they could just resend the hash. A passwords security in transit is entirely dependent on the security of the SSL/TLS connection, which we’ve already discussed is flawed.

    A passkey is never transmitted and thus cannot be stolen from that transmission. They are not dependent on the security of a known to be flawed network protocol.

    Yes, there are other attack vectors which are present with both forms of authentication. Not really relevant to choosing one or the other being they are present regardless of password vs passkey.

    Which we’ve already established that passkey implementation is also problematic.

    The only problem we’ve established with passkeys is managing their storage and distribution between your devices. That’s a problem that’s entirely up to you as a user and which managers you choose to use. I like having detailed control over my data, so I used a self-hosted password/passkey manager. Others don’t care to go into that kind of detail and just stick with google/apple. To each their own.

    I’m actually doing the opposite: Compairing the best password implementations with the worst passkey implementations. (regarding how the service implements auth, not how the user manages their auth info. Ie; what the user has no control over)

    Even with the user and the service they are using doing all the right things to secure their password auth as much as possible: that password can still be stolen in a usable form either from the service itself or from the connection between the service and the user.

    Where as a service could fuck up astronomically; http only, with public access to their user+passkey table. As long as the users own systems have not been compromised, those passkeys cannot be stolen in any useable way as the service doesn’t have them and are never sent them in any form. All you’ll get is a public key which is about as useful as a random number.

    Passkeys move all the risk+responsibility of keeping them secure away from the service and puts it entirely in the hands of the user and the decisions they make. You no longer have to hope or even care that the service you’re connecting to is actually utilizing the best practices.

    And yes, Passkeys are more inconvenient than a password. Using private key auth has always been more inconvenient. Doesn’t stop it being the go-to form of auth for ssh. Again, that was just an example of your password being stolen by the network you are connected to. I’m not here to discuss how to or if you should be using personal accounts on work equipment.

    I’m also not going to discuss the merits of someone elses talking points. I didn’t even open that link.

    • Saik0
      link
      fedilink
      English
      01 year ago

      That fact that there are flaws in the TLS/SSL implementation of public key authentication does not equate to those flaws being present in the Passkey implementation of public key authentication.

      So the fact that LITERALLY EVERY public key auth up to this point in history except for a very very limited few has been broken/updated isn’t a sign to you? Why are you so willfully ignorant here? NO encryption method is perfect… NO Authentication method is perfect.

      TLS/SSL is one implementation of public key authentication.

      Good thing everything I’ve talked about has been about Public Key Authentication and the traits that those have! Almost like being such a thing would have common traits between them that would not change!

      Passwords MUST be transmitted to the service in a form that the server accepts as valid

      Just like the challenge/response must be transmitted in a way that the server accepts it as a valid answer… Platitudes like this mean nothing and show that you do not understand any of the fundamentals happening here. Public Key Encryption is fundamentally 2 entangled passwords and a challenge (random generated known) on session start. There’s 0 reason that the passwords couldn’t just be an actual password for the private side, and the hash the public key. You need to read up on implementation of these things.

      A passkey is never transmitted and thus cannot be stolen from that transmission. They are not dependent on the security of a known to be flawed network protocol.

      I literally said this so many time already it’s getting sad that you are arguing so disingenuously. You don’t HAVE to transport the password at all in password-based authentication. You can transport a hash(password+challenge) just like what passkeys would be doing.

      I’m actually doing the opposite: Compairing the best password implementations with the worst passkey implementations. (regarding how the service implements auth, not how the user manages their auth info. Ie; what the user has no control over)

      No you’re not, and now I’m walking away from this discussion. I can’t have discussions with people who outright lie.

      The best password implementations would do what I’ve outlined several times now… The worst passkey implementation could simply challenge with the same or no value at all which would allow replay (gasp! like bad implementations of passwords! almost like they are basically the same!). Like YOU admitted, you can’t control the site implementation. I’ve said it repeatedly that the best possible passkey implementation is WORSE than the best possible Password implementation. However, the worst passkey implementation is likely better than that worse password implementation. Kneecapping those of us who actually implement properly… That’s dirty.

      I’m also not going to discuss the merits of someone elses talking points. I didn’t even open that link.

      And you’ve outlined none of your own. What productive communication this has been. It’s literally the same parroted talking lines that every fucking one of you “passkey” fanboys spout without any functional knowledge of what happening.

      Go look at how all Public Key Encryption works. TLS is sufficient to understand it. https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

      Nothing stops step 4 from being the hash of a password, step 5 being you applying your password. Literally nothing. Passkeys are not significantly different than passwords from a best implementation standpoint, and actually introduce a number of problems that passwords do not have. It’s all about implementation and everyone who is lazy in implementing strong password authentication code WILL be lazy implementing PassKeys.

      Others don’t care to go into that kind of detail and just stick with google/apple. To each their own.

      Yeah you’ve already admitted that phone user’s don’t have a choice… and the vast majority of people’s only significant interaction with the internet in a day is their phone. So where’s the options for those people? Right… I’ve asked that like 3 times now and you’ve failed to answer.

      • @[email protected]
        link
        fedilink
        English
        01 year ago

        I’m tired of you putting words on my mouth and needlessly insulting me in a genuine conversation. It’s just sad.

        For example: I never said users dont have a choice on Android. You did.

        I said my chosen Passkey manager has not yet implemented Passkey support. Nordpass, Enpass, 1password, and Dashlane are all examples of non-google passkey managers you can use right now on Android. You just couldn’t be bothered to look for anything but what was stuffed in your face for you.

        Enjoy your rambling, I’m done here.