Perhaps instead of looking at cookies as a proxy for passwords, we should be looking at passwords as a transport mechanism for secrets! The desired result is to share a secret key between the server and one or more browsers, and the password is merely a mechanism to prove the browser worthy of the secret …
There’s a concept in evolutionary biology called the Gene-centered view of evolution which considers evolution to be best considered from the perspective of the gene rather than the invidviduals who carry it.
This mental inversion was popularized by Richard Dawkins in his 1976 book The Selfish Gene.
We are survival machines – robot vehicles blindly programmed to preserve the selfish molecules known as genes. This is a truth which still fills me with astonishment.
– Richard Dawkins, The Selfish Gene
Rather than thinking of genes as a way of creatures making successive creatures, you can think of creatures as a mechanism for carrying genes about. This may seem like a trick of terminology, but it proves helpful when thinking about the problems of altruism and group selection in evolution.
It occured to me the other day that the same trick applies to the thorny issue of internet security, specifically passwords and secrets.
Generally, when communicating with Internet servers, you hand over a username and password, which are then checked, and your web browser is issued a “cookie” or a “token” or a “ticket” … some kind of shared secret which can be used in lieu of your username/password for the next little while at least. This avoids having to store or pass around the password itself with every transaction.
Traditionally, websites tended to use short lived “session cookies”, but these days these shared secrets tend to be longer lived, to avoid having to remember your password yet again. And passwords are getting more like shared secrets: most security minded people would recommend using randomly generated passwords, stored in some kind of password storage system and locked with a single “master key”.
Perhaps instead of looking at cookies as a proxy for passwords, we should be looking at passwords as a transport mechanism for secrets! The desired result is to share a secret key between the server and one or more browsers, and the password is merely a mechanism to prove the browser worthy of the secret …
The mechanism is simple:
This of course is just the same sort of mechanism currently used everywhere to recover passwords, but without a password ever actually getting a look in. So while there are weaknesses in the security of doing it this way, they already exist in the password-based schemes more typically used.
(see also You’ve got NO MAIL)
But there’s a problem. Cookies are not really treated as sensitive information by most browsers, they’re just thrown into a file in your home directory, and even if you have set a Master password, they aren’t encrypted. So unless you’re using an operating system which encrypts your files by default they may be quite easy to steal.
It would be awfully nice if the browsers would start taking cookie security a bit more seriously. However, since session cookies are generally quite long-lived, your sessions weren’t really very secure in the first place, so using passwordless cookies isn’t necessarily much worse.
I put together a little demo of this principle at kringle.zoic.org (now defunct), not exactly a high security application but I thought a nice demo.
I invited a bunch of friends to try it out for our annual “Christmas in July” party, and it worked pretty well, but interestingly only one person noticed that there was no way to set a password!