https
SQRLSQRL
Secure Quick Reliable Login
Proposing a comprehensive, easy-to-use, high security replacement for usernames,
passwords, reminders, one-time-code authenticators . . . and everything else.
divider
How SQRL Can Thwart Phishing Attacks

Although the SQRL identity authentication login system does not promote itself as an anti-phishing solution, observers have hoped that, in addition to everything else it does, it might also be able to provide some relief from the classic and pervasive Internet worry over phishing. As it turns out, the SQRL authentication architecture does present significant opportunities for thwarting phishing attacks.

The Phishing / Man-In-The-Middle Problem
A “Man In The Middle” (MITM) exploit occurs when an attacker can somehow arrange to interpose themselves between a web browsing user and the web server they believe they are contacting. The attacker becomes the “man in the middle”, able to eavesdrop and often intercept and alter the data passing back and forth between the user and the intercepted web site:

phishing-1

This typically occurs through a so-called “Phishing” attack, where a fraudulent — but very authentic appearing — eMail message induces an unwitting user to “click this link” to verify (for example) a Paypal transaction they have no knowledge of, approve the withdrawal of funds from their bank account (which they never made), etc. The fraudulent eMail link will direct the user to a website at a similar looking web address — perhaps paypol.com or paypal.cn — which will go unnoticed because everything else about the displayed page is absolutely correct.

The fraudulent “phishing” web site will ask the user to login by providing their username and password. But because the fraudulent site has interposed itself between the user and actual website, the user is unwittingly providing their confidential credentials to the attacking site. Since the attacking site has the user's confidential credentials it can then login as the user, impersonating the user, and transfer the user's funds wherever it wishes.

OAuth authentication (“login with Facebook”, “login with Twitter”) are equally prone to phishing exploits, and “six digit” multi-factor authentication systems, such time-based or one-time “Google Authenticator” style systems don't help in this situation because the malicious website can intercept and immediately use the time-based code before it has expired. Attackers are known to be doing this.

How SQRL changes things
When using SQRL, users do not identify and authenticate themselves with a username and password. Instead, their unique user identity is derived from their secret master key and the website's full domain name. Since SQRL generates a unique user identity for every web domain, the user's Internet identity for a look-alike phishing site such as paypol.com or paypal.cn, or anything other than the authentic website the user believes they are visiting, would be useless to any attacker.

This means that the SQRL login link provided by a phishing site's otherwise fraudulent web page must be correct and authentic. In our example, it would have to be “paypal.com” because that domain name string is used in the generation of the identity by which Paypal knows the user. This means that the user's SQRL application will connect directly to the authentic website, rather than to the fraudulent phishing site:

phishing-2

The diagram above shows the SQRL Login Agent, its communication link, and the authentic web server in green to signify the significantly higher degree of trust and tamper-proof assurance that exists for this communication.

The SQRL system takes advantage of this stronger tamper-proofing and enhanced trust in three ways:

Details and Limitations of IP-based MITM detection
Although IP awareness is powerful and useful as an anti-phishing countermeasure and man-in-the-middle detector, it is not perfect. It can fail or be unavailable in the following scenarios:

Secure QR Login (SQRL) Documentation:

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Nov 14, 2013 at 13:07 (160.01 days ago)Viewed 10 times per day