WebAuthn, SoloKeys, DNS, IPv6, Code, CSV

  • WebAuthn - Public-Key cryptography based authentication extension API for credential management from W3C and part of FIDO2 specification, fido-u2f, FIDO Alliance. Read a few extremely miserable programming articles about it, lots of technical detail. But the essential was missing, what and why. Then the rest will automatically and obviously follow without further details. You don't need source to implement something based on good specification from scratch. Maybe this is just the modern programmers, they do something that "works" without any clue, why and how it works. Classic. That's the wrong way of doing things. Forum discussions about this topic is all that stuff, I've written over and over again. Multi-factor, safe private key storage, secure authentication doesn't make insecure device any more trust worthy and so on. This is nothing new, except it's standard with browser support, technically it's all VERY old stuff. Btw. Who remembers SSL client certificates? All this is 90s technology. All this immediately reminded me about SQRL which is also nice and simple. So many fails in history Mozilla Persona / BrowserID, OpenID, Windows CardSpace and so on. Even with latest Firefox correctly configured, I didn't find any working demo site. Hmm. Any of the articles didn't cover the fact where the keys are actually stored and how those are protected. What about backup, recovery, etc. Wow, I used 3+ hours to go through all this, and I've gained nothing. oAuth isn't failure, but many sites accept only very limited set of identity providers. I really wish FIDO2 / WebAuthn would gain popularity and acceptance, it seems to be much better than paper OTP passwords, SMS delivered login verification codes, TOTP or RSA SecurID.
  • Nobody in Finland has thought about using WebAuthn for TUPAS / PSD2 and providing digital online national identity verification for Banking, Shopping, Insurance, Tax authorities, etc. Really? At least nobody has mentioned it publicly. kw: authentication identity identityverification psd2
  • SoloKeys - I really liked how their firmware web-updater works. It used the authentication requests to carry the new firmware code to the key device. Classic, anything over anything. Approach, is just lovely and hackish.
  • After many and many articles about "dangers of using ISPs DNS servers", I still don't get what is the problem with the ISP seeing my DNS queries. That's still private telecom information protected by law. Unless you're doing something obviously illegal, and are under investigation. They can't do anything with that data legally. Using Cloudflare or VPN most likely won't solve the problem anyway, at least if you're doing something criminal enough. Therefore claiming either of the options making you actually untraceable on net, is snake oil anyway. - These are things which would be so nice to test and troll with, but probably the authorities running the criminal investigation wouldn't think it was a nice joke to play. Well, I didn't mean it, I just wanted to see, if you guys care.
  • If you've got devices with IPv6 Global Unicast Address (GUA), it's preferred over Unique Local Address (ULA), which is good. It's always better to use global addressing instead of local addressing. In networks where every device got GUA, there's no need to configure parallel ULA. I guess this will be large majority of networks.
  • Bad program, hangs whole system so it can't be repaired without using low level tools. Thank you software developers once again. Its extremely frustrating that some programs are designed so, that you have to turn the feature "on" before you can configure the feature. But what if this feature prevents all networking or accessing computer and so on. At least few firewalls got this problem, as well as a few remote control tools. When you install the tool, it will block all remote connectivity, until configured. No there's no option to do that in sane way, checked with their customer support. That's just bad, really bad. Because it could have been so much smarter.
  • Lots more of interesting or really depressing discussion about CSV files and RFC4180. Anyway, even simplest csv or any fields with any separator on row works great, as long as it's not user generated JUNK data. Most often all the problems originate from users and bad data quality. CSV it self isn't to blame. I don't remember when I would have seen any problems with non user entered fields. Unfortunately it's totally normal to see more or less broken CSV files. Seeing actually RFC valid files seems to be quite uncommon. Anyway this reminded me from really good old stuff, DATA. Also reminded that last time when I used double double quote was with powershell. """Quoted""". Will output "Quoted". Yes using ' is also another option. So many escape methods, if you don't know exactly all the environments you're using, you're probably going to fail.

2019-08-25