A small project

So I’ve taken inspiration from Wendell’s Edison video to make something similar.

This is also made as an experiment into a 90% javascript/HTML project (All pages are HTML templates that are filled in with a javascript template engine that gets the data through JSON requests to a restful PHP API and that may in turn make calls to a daemon on the system)

I wish to make advancements and add features into basically what he’s done. My question relies on this, what possible ways are there for modifying HTTPS traffic (Preferably without running much code on the computer in question).

Current ways I can think of:

  • Hook the functions (Not really wanting to)
  • Browser extension (Maybe)

The reason is I want to store passwords there and do something similar to what Wendell did with the SSH keys with saved passwords.

Any ideas?

Could you clarify further what you want to accomplish?

You want a password stored somewhere and you want access to it somewhere else? Do you want to see the plaintext password or just verify that the password you entered is valid?

What I want is kinda strange.
I want the user to NEVER have a hold on their own passwords for sites, they authenticate onto a small secure box that will login in on their behalf.

This has issues as places that I want secure, like paypal will check certain variables to ensure the session does belong to that machine. How can I bypass that?

Let me preface this with the following disclaimer: You should try to build this device, it will be a great learning experience.

Okay so it sounds like you want a separate device, lets call it the "Auth-Box". The Auth-Box is a computer that has some sort of master password (it could be your password + a biometric + anything else). Once you enter your master password the Auth-Box handles all other further authentication for you.

Login to TS, Auth-Box!
Login to your email account, Auth-Box!

This all happens via some sort of protocol, Auth-Box makes a connection to your computer, tells your computer the correct password (could be an insanely long randomly generated password because hurray you already authenticated into the Auth-Box).

This is stupid.

Why is this stupid? Attack vectors / attack surface. Auth-Box get's compromised, uh oh, ALL your passwords are now compromised. But wait, explorer-guy, isn't that the same security risk as using two-factor authentication with your phone? YES it is astute observer, which is why it's stupid (the advantage of using your phone is that it does not know about your passwords, your solution all your passwords are in one spot, in plaintext, this is naughty). The device is storing plaintext passwords and sending plaintext passwords over a protocol. Now you have to prove to me that this is more robust than https. Because if its equally robust or less, security has been compromised.

In fact, even if this magic protocol that is sending password from Auth-Box to your computer is 99.999% failsafe, security has STILL been compromised. Why? Because math! Yeah let's do math! Your password, no matter what, still has to fly over HTTPS, let's say that the odds of HTTPS being cracked, exploited, or failing are one in ten thousand (i.e. it is 99.99% reliable). Now, using our magic new protocol we have TWO networking protocols that have to execute, our new, super duper strong one (99.999% percent) and good ole' HTTPS (99.99%, remember, these are made up numbers but the point is still valid).

So what is our total risk of exploitation?? Why it's the probability of HTTPS failure multiplied by probability of new-magic-protocol failure. Which, if you open up your calculator application is 99.98%. LIKE ZOINKS SCOOB.

So no matter how super duper secure you've made your Auth-Box-to-Computer protocol, because the password has to fly over a wire (or wifi) twice, your chance of failure/compromise as increased.

But this isn't the whole story brah, because Auth-Box shore's up a whole other set of security problems, namely the weakest part of ANY authentication system - the human using it. Now instead of 10 passwords, the user remembers only one + their fingerprint (or however you want to handle initial auth).

So does that make this idea not stupid? Well, no, because any Auth-Box system like this will have a much better adoption rate, and ease-of-use if you use a device that the user ALREADY has with them (their phone, their fingerprint, etc).

So will your idea make the world safer? No. Will you learn a shit ton from it and could it set you on the path to making the world more secure? Definitely. Please don't be discouraged, I just wanted to explain misconceptions about "adding" layers to security, you are always better off shoring up or removing your weakest link, not adding more strong links.

Thanks for that comment although. I hope to not allow the user to EVER come in contact with the passwords AND it requires BOTH the target machine AND the server to be compromised with malware.

I designed it so let's say I want to connect to a VPS on a PC I don't trust, I can use my phone (Something I trust) to access the authbox and get a temporary password that will connect it to the VPS. The password cannot be used again. Things like that but also adding browser passwords.

Now I understand that the human is the weakest link but I wanted this to be for cryptonuts or people who don't trust anything.

I don't think you could have a device authenticate for you then allow you to connect from another device. I don't know for certain but it seems like something they would have tried to lock down to prevent browser hijacking and stuff like that.

For HTTP you can simply set a proxy, that'd work. but for HTTPS I'm unsure.

You can do a HTTPS proxy, but it's pretty dodgy, it will create more problems then it would solve.

Damn

How does the untrustworthy VPS know your password is valid?

The vps is trusted no the PC. And that's simple. I have a proxy SSH daemon on the authbox that waits for connection, when it gets one it finds what actual SSH keys have that tmp password assigned, then the authbox authenticates a session with those details and forwards the messages

Ah I gotcha, sorry should have re-ready your comment.

The temporary password stuff would be fun to write, I'd do something cutesy like use the next word of a novel or something.

agreed_pos = 0
word_bank = ['call', 'me', 'Ishmael']
hash = sha256(word_bank[agreed_pos])
hash = do_some_salting_and_string_rearranging(hash)

contact_attempts = 0
while(contact_attempts < 10):
    res = makeHTTPpost(body, headers={'pwd': hash}
    if res.HTTPresponse_code == 200:
        agreed_pos += 1 #VPS increments its counter too now
    else:
        contact_attempts += 1

The danger there is if you make this call over HTTP the first post fails, because now a man-in-the-middle could conceivably grab the temp password and try to auth in before you could (they'd have just a few milliseconds, but it's possible).

That's why the entire thing is https

I dig it.

Same