It might be called SQRL, Secure Logins, Another Protocol, A God-Send….
Whatever you want to call it WE NEED IT!!!
Let’s look back to recent past… A typical issue would be person A (the soon to be unhappy one) is in a coffee shop having a relaxing hour and thought it would be a good idea to log into their bank on the coffee shops wireless network. Person B (the not so smart but knows where to get the right software on the web today) is also the the same coffee shop with his normal looking computer / screen doing what looks to be a normal event at the coffee shop configured to at as a MITM setup (that’s Man In The Middle Setup).
What happens in this issue is when person A connects to the wi-fi of the coffee shop to go to any secure area over the web he also connects through person’s B computer acting as MITM for all communications not knowing he is giving ALL his security information to person B to do with as they want in the future. When person A then leaves (or is even still there but logged out of the bank) person B might then login to person A’s bank and transfer funds out to wherever they want to… Scary No?!? But this happens all the time!!!
Person A doesn’t know what happen until they log back into the bank next time…
Yes I know the banks are getting smarter with there internal checks and balances… But what about the stock markets, personal web sites, government web sites, credit cards sites, Facebook, online job sites, online stores, simple sites where we use the same login credentials everywhere else???
Once person B has all the login information they need, all they have to do is login to said site and data mine anything they need to impersonate person A with and then they can do a lot of damage to person A’s credit / online persona….
We all say it will never happen to me because I use the latest technology around… So does person B!!! And like I said person B just has to know were the software is on the web with some simple instructions…. They do not have to program it ….
Now we have SQRL (Secure QR Logins)… Hopefully to become a web standard soon… With SQRL and the above issue (person A & B) we get the same problem… But the login information person B is looking for is bypassed… They might see data comming and going but the login information is not only encrypted but also handled offsite via a phone or such….once securely logged in and communicating over a secure connection person B sees nothing they can use and is now defeated… To get the details of the per posed SQRL, check out this site (https://www.grc.com/sqrl/sqrl.htm) and you will get all the needed information you could use.., but to the simple people out there in web land…. SQRL is a technology that is so simple and secure, it’s a wonder we haven’t used it by now… What happens is at a login screen (that is setup with SQRL) person B has the option of entering their login credentials or scanning the QR code on the screen with their phone. After scanning with the phone the app (on the phone) then uses a pre-secure setup with the website / service to remotely login the user to the site… If done correctly person A sees their login credentials automatically enter and they are now logged in. It bypasses the keyboard, mouse and mostly the unsecured web traffic…
We need this technology so bad it isn’t funny… It would stop viruses, key loggers, key sniffers, Trojans, MITM attacks, corrupted software and just anything out there that can steal a password in any environment… (Coffee shop, Public library, Internet CAFE, Public Kiosk…)
Another issue would be person A is in a School Library doing research for their school paper. After getting all the info they need they log into their remote email system thinking they are secure… What they don’t know is person B has installed either hardware key loggers or virus software onto the computer to log all keystrokes from person A. After a set period of time (say a week) person B grabs all the keystrokes collected and runs it through a special software package (again easily obtained from the web) and now has person A’s login credentials to do anything they want to do with… With SQRL this would be stopped!
Whatever software technology we use it’s a fact we need something to stop these attacks!!! Too many people out there are getting spoofed (a term: a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage) and it needs to stop! We use the web so much these days and just to prove it’s the right person doing the transaction is almost impossible. I know myself I will be using SQRL… I see the need so much… And I don’t want to be spoofed!