The Infosec Thread: Yes, time to move off Entrust

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off Entrust

«‹›508 »

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Adix posted:

hey bro i read some site and pro-tip ssl is free now

Minor detail because he doesn't understand what he is writing.

# ? Sep 4, 2016 07:43

Adbot: ADBOT LOVES YOU

# ? May 18, 2024 23:12

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

Adix posted:

hey bro i read some site and pro-tip ssl is free now

OK, point taken. I'll be editing that bit and rehosting probably.

# ? Sep 4, 2016 07:46

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

FeloniousDrunk posted:

OK, point taken. I'll be editing that bit and rehosting probably.

OSI bean dip posted:

You don't even comprehend apseudonym's post. How do I know your generator hasn't been modified before it reaches my browser?

Answer this please.

# ? Sep 4, 2016 07:49

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

I don't. Sometimes one gets a little wrapped up in one project, etc. Part of the reason I posted here rather than on Hacker News or something, is that it's good to get feedback from a smaller group. So now I am going to get some secure delivery, because I hadn't thought of that particular possibility. Thanks. Anything else?

# ? Sep 4, 2016 07:56

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

FeloniousDrunk posted:

I don't. Sometimes one gets a little wrapped up in one project, etc. Part of the reason I posted here rather than on Hacker News or something, is that it's good to get feedback from a smaller group. So now I am going to get some secure delivery, because I hadn't thought of that particular possibility. Thanks. Anything else?

And as such this will never be secure or trustworthy. What benefit does your tool provide to me and how can you ensure that I or anyone else can put some level of trust into it?

# ? Sep 4, 2016 07:58

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

FeloniousDrunk posted:

I don't. Sometimes one gets a little wrapped up in one project, etc. Part of the reason I posted here rather than on Hacker News or something, is that it's good to get feedback from a smaller group. So now I am going to get some secure delivery, because I hadn't thought of that particular possibility. Thanks. Anything else?

Who is your target audience for this? People paranoid enough to generate pseudorandom 24-character passwords for everything but stupid enough to trust some random script on the Internet to handle their passwords?

# ? Sep 4, 2016 08:00

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

Squeegy posted:

Who is your target audience for this? People paranoid enough to generate pseudorandom 24-character passwords for everything but stupid enough to trust some random script on the Internet to handle their passwords?

Funny enough, among the human acquaintances I have there a few that thought it was convenient. And again, it's not a script on the internet; it's ultimately a tailored script that runs within the browser. I'm pretty certain that you personally are not in the target audience, and really neither am I since I have a load of passwords that I can't be bothered to change. It was more of an exercise, but I still think the idea has merit. It allows you to default to 6-character lowercase-only if you want, if you aren't paranoid, but I thought it would be useful for people who have heard that it would be good to be more paranoid.

OSI bean dip posted:

And as such this will never be secure or trustworthy. What benefit does your tool provide to me and how can you ensure that I or anyone else can put some level of trust into it?

I'll get back to you on that. Basically I hadn't thought of MITM of the generator generator, but that is a possibility. So again, thanks. It will be moved and delivered via SSL if I ever formally put it out.

# ? Sep 4, 2016 08:12

hobbesmaster: Jan 28, 2008

FeloniousDrunk posted:

but I thought it would be useful for people who have heard that it would be good to be more paranoid.

Then why do your random number functions look like this?

code:

var rc=0;
function randomish(){
    var v=document.getElementById('_pwx_seed').value,f;
    if(v!==''){
        f=Math.sin(parseFloat(v)+(rc++))*1000;
        rc%=999999999999999;
        return f - Math.floor(f);
    }
    return Math.random();
}
function rand_int(min, max) {
	return min + Math.floor(randomish() * (max - min));
}

# ? Sep 4, 2016 08:15

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

hobbesmaster posted:

Then why do your random number functions look like this?

code:

var rc=0;
function randomish(){
    var v=document.getElementById('_pwx_seed').value,f;
    if(v!==''){
        f=Math.sin(parseFloat(v)+(rc++))*1000;
        rc%=999999999999999;
        return f - Math.floor(f);
    }
    return Math.random();
}
function rand_int(min, max) {
	return min + Math.floor(randomish() * (max - min));
}

No random number seed in js, is the reason. But yes, that can be improved.

# ? Sep 4, 2016 08:17

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

FeloniousDrunk posted:

No random number seed in js, is the reason. But yes, that can be improved.

You keep saying that it can be improved but how? You're taking your hand at writing your own crypto so I'd like to hear from you what your approach will be to improving this. Is this your first rodeo?

# ? Sep 4, 2016 08:20

hobbesmaster: Jan 28, 2008

FeloniousDrunk posted:

No random number seed in js, is the reason. But yes, that can be improved.

What specific improvements would you make?

# ? Sep 4, 2016 08:20

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

There is prng code out there from reputable sources, I will use that. The main question is about licensing really.

Really though, is the concept sound, say with secure delivery and proper randomness.

# ? Sep 4, 2016 08:26

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

FeloniousDrunk posted:

There is prng code out there from reputable sources, I will use that. The main question is about licensing really.

Really though, is the concept sound, say with secure delivery and proper randomness.

What are these reputable sources? Why do you need to licence it? Are there none under the GPL? Is the GPL too restrictive? Give us examples and stop beating around the bush.

Also we're asking you these questions because people roll their crypto quite often and get it wrong. So far you're not bucking the trend and are giving vague answers here which leads me to believe that you've never written any crypto before. Anyone who has a clue about it would not approach such a system the way you have.

We've seen this nonsense with JavaScript before:
https://tobtu.com/decryptocat.php

# ? Sep 4, 2016 08:32

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

OSI bean dip posted:

What are these reputable sources? Why do you need to licence it? Are there none under the GPL? Is the GPL too restrictive? Give us examples and stop beating around the bush.

Also we're asking you these questions because people roll their crypto quite often and get it wrong. So far you're not bucking the trend and are giving vague answers here which leads me to believe that you've never written any crypto before. Anyone who has a clue about it would not approach such a system the way you have.

We've seen this nonsense with JavaScript before:
https://tobtu.com/decryptocat.php

Well it was a bit of a joke on the thread title. If you examine it, the thing randomizes (for previously criticised values of "random") the four or five character classes by taking a "random" element 128 times from each class, then (in its next incarnation as a bookmarklet) uses a key to deterministically make a password. Insofar as cryptography is actually involved, it's one-way and so I should be more concerned about reversibility.

This PRNG looks reasonable, but under an MIT license. I'm aiming to keep the whole thing in one file.

# ? Sep 4, 2016 09:02

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

FeloniousDrunk posted:

This PRNG looks reasonable, but under an MIT license. I'm aiming to keep the whole thing in one file.

So keep it in one file. MIT doesn't preclude that.

Then delete that file.

# ? Sep 4, 2016 11:29

Dex: May 26, 2006; Quintuple x!!!

Would not escrow again.

VERY MISLEADING!

Subjunctive posted:

So keep it in one file. MIT doesn't preclude that.

Then delete that file.

# ? Sep 4, 2016 14:02

B-Nasty: May 25, 2005

Since you reference it, why don't you use a similar mechanism to Hashpass (https://github.com/boyers/hashpass), but better, to form the password per site?

You are deriving password values from some master key + the site's URL; this is the perfect use for a HMAC-SHA function. I can trust that the resultant password from HMAC-SHA can't be used in reverse to find my secret master key. Your hard-to-follow, hand-spun hashing/derivation function doesn't give me the same assurance.

That is, if I obtained N different passwords (and the site URL's) generated from your bookmarklet, could I reverse them and get the list of primes (why bother with primes here anyway?). I'll bet for a large enough value of N, I could.

# ? Sep 4, 2016 14:12

Khablam: Mar 29, 2012

FeloniousDrunk posted:

Well it was a bit of a joke on the thread title. If you examine it, the thing randomizes (for previously criticised values of "random") the four or five character classes by taking a "random" element 128 times from each class, then (in its next incarnation as a bookmarklet) uses a key to deterministically make a password. Insofar as cryptography is actually involved, it's one-way and so I should be more concerned about reversibility.

You should be more concerned about usability. You've aimed this bad idea at novice users (it seems) without looking at basic use cases.
[website] email me to say they are resetting my PW as it was in a breach. Cool! So in any other password manager I hit 2 buttons to get a new, strong password not derived from the previous in any way.
What do I do with yours? Well I have to know enough to realise it isn't going to help me in any way, and go into the bookmarklet and iterate something to get a new generation. [website]1 would be what most users would choose which suggests [probably] poor entropy against the first somewhere.
So now my problem, if I know this much, is that the new seed needs to be something like [website]w3B5itE and now I'm remembering a password to remember a password.

This ignores that bookmark security is worse than password security in a browser, so anyone reading your bookmarks successfully can ergo determine your password for every website you will ever use.

I'm a total dipshit when it comes to encryption and those are two glaring problems right out of the gate that make anything like this completely untenable.

# ? Sep 4, 2016 16:14

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

FeloniousDrunk posted:

On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc. It runs entirely in the browser, no local storage, randomized per instance (unless choices have been made by the user).

I'd love to hear about problems it has, I haven't really put it out in the world.

Ah yes, 121, that well known prime number

# ? Sep 4, 2016 17:28

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

spot the mistake in his primality test

code:

c=rand_int(47, 10001);
for(j=2;j<Math.sqrt(c);j++){
	while(!(c%j)){
		c/=j;
        }
}
if(c>2){
	a.push(c);
}

fwiw this also skews your generated primes left rather than being uniform, not that it matters because the whole idea is retarded anyway

# ? Sep 4, 2016 18:00

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Rufus Ping posted:

Ah yes, 121, that well known prime number

should have used 9533 since it is the largest prime

# ? Sep 4, 2016 18:33

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

Rufus Ping posted:

spot the mistake in his primality test
code:
c=rand_int(47, 10001);
for(j=2;j<Math.sqrt(c);j++){
	while(!(c%j)){
		c/=j;
        }
}
if(c>2){
	a.push(c);
}
fwiw this also skews your generated primes left rather than being uniform, not that it matters because the whole idea is retarded anyway

So wait does he only use sub-10k prime numbers? Because that seems familiar... have no time to find out why, though.

# ? Sep 4, 2016 18:40

Proteus Jones: Feb 28, 2013

Squeegy posted:

So wait does he only use sub-10k prime numbers? Because that seems familiar... have no time to find out why, though.

Look at the link in the comment right before yours.

# ? Sep 4, 2016 18:59

hobbesmaster: Jan 28, 2008

Squeegy posted:

So wait does he only use sub-10k prime numbers? Because that seems familiar... have no time to find out why, though.

But, trial division takes a long time!

# ? Sep 4, 2016 18:59

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

flosofl posted:

Look at the link in the comment right before yours.

# ? Sep 4, 2016 19:04

andrew smash: Jun 26, 2006; smooth soul

OSI bean dip posted:

should have used 9533 since it is the largest prime

is there a larger story to this or is it just an illustrative example of general stupidity?

# ? Sep 4, 2016 19:44

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

andrew smash posted:

is there a larger story to this or is it just an illustrative example of general stupidity?

The story is don't roll your own crypto.

# ? Sep 4, 2016 20:38

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

I've made a quick POC to show how a malicious site (or a site with malicious ads) can abuse that bookmarklet to steal people's passwords:

https://rufoa.com/sa/poc.html

Install that guy's bookmarklet then pretend to log into my site above (click the bookmarklet then the fill button)

# ? Sep 4, 2016 22:42

Trabisnikof: Dec 24, 2005

Rufus Ping posted:

I've made a quick POC to show how a malicious site (or a site with malicious ads) can abuse that bookmarklet to steal people's passwords:

https://rufoa.com/sa/poc.html

Install that guy's bookmarklet then pretend to log into my site above (click the bookmarklet then the fill button)

You're my hero :allears:

# ? Sep 4, 2016 22:44

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Rufus Ping posted:

I've made a quick POC to show how a malicious site (or a site with malicious ads) can abuse that bookmarklet to steal people's passwords:

https://rufoa.com/sa/poc.html

Install that guy's bookmarklet then pretend to log into my site above (click the bookmarklet then the fill button)

FeloniousDrunk, you should come out to one of the local security meetups here in Vancouver--your profile says you live in the same city. It might help to learn from people who break this stuff as their job.

# ? Sep 4, 2016 22:48

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

for those who can't be bothered running it themselves:

here's a site I want to log into

Load up the bookmarklet and click fill...

whoops

# ? Sep 4, 2016 22:48

CLAM DOWN: Feb 13, 2007; nesaM killed Masen

OSI bean dip posted:

FeloniousDrunk, you should come out to one of the local security meetups here in Vancouver--your profile says you live in the same city. It might help to learn from people who break this stuff as their job.

I should go to one of those one day

# ? Sep 4, 2016 22:50

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

CLAM DOWN posted:

I should go to one of those one day

There is one this Thursday at Central City on Beatie--at 6 PM.

# ? Sep 4, 2016 22:55

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

Yeah, I kind of think using the domain name isn't such a hot idea either. I'm going to take that out. Also have replaced the homegrown hashing.

# ? Sep 4, 2016 23:32

Kazinsal: Dec 13, 2011

Man I wish I still lived in Vancouver. Good food and security poo poo with chill sec goons? I should see if I can swing a week at our Burnaby office...

# ? Sep 4, 2016 23:34

CLAM DOWN: Feb 13, 2007; nesaM killed Masen

OSI bean dip posted:

There is one this Thursday at Central City on Beatie--at 6 PM.

poo poo, I definitely can't make anything this week, then I'm at SANS the following. How often do these happen?

# ? Sep 5, 2016 00:05

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

FeloniousDrunk posted:

Yeah, I kind of think using the domain name isn't such a hot idea either. I'm going to take that out. Also have replaced the homegrown hashing.

you've missed the point - the problem is that your bookmarklet relies on injecting secret information (the prng seed from which all passwords are derived) into untrusted third party pages

you can mitigate this to some extent but you really need to go back and consider what problem you are attempting to solve here

# ? Sep 5, 2016 00:08

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

FeloniousDrunk posted:

On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc.

i mean seriously, if there are people out there who don't trust proper password managers but do trust some pile of poo poo w3schools-quality javascript bookmarklet written by local helpdesk janitor Tod McRetard, then your response shouldn't be to indulge their stupidity

# ? Sep 5, 2016 00:21

milk milk lemonade: Jul 29, 2016

Rufus Ping posted:

i mean seriously, if there are people out there who don't trust proper password managers but do trust some pile of poo poo w3schools-quality javascript bookmarklet written by local helpdesk janitor Tod McRetard, then your response shouldn't be to indulge their stupidity

God drat

# ? Sep 5, 2016 00:39

Adbot: ADBOT LOVES YOU

# ? May 18, 2024 23:12

vOv: Feb 8, 2014

Rufus Ping posted:

you've missed the point - the problem is that your bookmarklet relies on injecting secret information (the prng seed from which all passwords are derived) into untrusted third party pages

you can mitigate this to some extent but you really need to go back and consider what problem you are attempting to solve here

To elaborate: One of the fundamental problems with your approach is that it's impossible to secure a JS bookmarklet (which runs in the same environment as the page) from potentially malicious code on the page itself. Browser extensions can be safe because their JS environment is separate from the page's, so they can just inject enough JS to set up the interface and set the relevant fields to the proper values or whatever (and even then, there have been plenty of high-profile attacks where the people who wrote the extension were silly). Even if you store all your secrets in the function itself, an evil site could replace all the methods on Object.prototype with 'evil' ones that walk up the call stack using .caller and call .toString() on the functions until they find your bookmarklet, then grab the secrets out of it via string manipulation or eval() or what have you.

Khablam posted:

You should be more concerned about usability. You've aimed this bad idea at novice users (it seems) without looking at basic use cases.
[website] email me to say they are resetting my PW as it was in a breach. Cool! So in any other password manager I hit 2 buttons to get a new, strong password not derived from the previous in any way.
What do I do with yours? Well I have to know enough to realise it isn't going to help me in any way, and go into the bookmarklet and iterate something to get a new generation. [website]1 would be what most users would choose which suggests [probably] poor entropy against the first somewhere.
So now my problem, if I know this much, is that the new seed needs to be something like [website]w3B5itE and now I'm remembering a password to remember a password.

This ignores that bookmark security is worse than password security in a browser, so anyone reading your bookmarks successfully can ergo determine your password for every website you will ever use.

I'm a total dipshit when it comes to encryption and those are two glaring problems right out of the gate that make anything like this completely untenable.

This is also a big problem with any approach that tries to generate passwords solely based on a master secret and the domain name.

# ? Sep 5, 2016 01:38

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off Entrust

«‹›508 »