Minimize Ladder Length over Wall

Some time ago somebody had to solve this math optimization question for their studies and told me about it.

So there is a wall with height h, which has the distance a from a very high "building" and your task, should you accept it, is to find the shortest ladder over the wall that touches the ground and the "building".

So the function to minimize is L = sqrt((x+a)^2+(h+y)^2).
Because we know that y/a = h/x it follows that y = ah/x.
Using this the length become L = sqrt((x+a)^2+(h+ah/x)^2)
The minimum of that function is not changed if we leave out the sqrt and the derivation of (x+a)^2+(h+ah/x)^2 is (2 (a + x) (-a h^2 + x^3))/x^3
So the minimum x is where this function equals zero, which is if x³ = ah²,
and the length then is L = (a^(2/3) + h^(2/3))^3
 
Now the thing that I
Continue reading "Minimize Ladder Length over Wall"

CSS Oddities: anonymous inline whitespace nodes

I learned something today. All started with a @Twitter post by @supersole that there is a new feature in @firefoxnighly that now allows debugging "anonymous inline whitespace" nodes in HTML pages.
https://blog.nightly.mozilla.org/2016/10/17/devtools-now-display-white-space-text-nodes-in-the-dom-inspector/

The post claims that imgimg on the page is rendered differently than imgcrlfwhitespacecrlfimg.
I could not believe this. That is stupid right? Which web developer would expect any difference?

Well, it seems that CSS rules - being what they currently are - lead to this unexpected difference.
The CSS spec describes the algorithm to process the HTML here in Phase I: Collapsing and Transformation.
In the second HTML fragment the whitespace is deleted by step 2 which gives us 
imgcrlfcrlfimg.
Step 2 tells us to handle segment breaks ("crlf"). That is described in the Segment Break Transformation Rules.
Those rule give us imgspacespaceimg. Which is then again continued to be processed by
Continue reading "CSS Oddities: anonymous inline whitespace nodes"

Twitter Markup

Twitter Cards are around for some time now and I recently wondered how commonly used they are?

There is a nice blog post on Blogger on how to integrate them there but clearly there should be ways for e.g. newspapers to promote their reports by providing summaries and a main image and author information that is not @Twitter specific?  Microformats and schema.org to the rescue?

What does Google do? It seems that JSON-LD is the recommended format.

How would a Twitter Card look in JSON-LD?

Twitter Cards or Rich Cards or @w3c Cards?

Time to standardize!

New Firefox Add-On: QRCode Login

Current login mechanisms suffer from missing support by browsers and sites.
Browsers offer in-browser password storage but that's about that.
Standardized authentication methods like HTTP Digest Authentication and HTTP Basic Authentication were never really accepted by commercially successful sites. They work but the user experience is bad especially if the user does not have an account yet.

So most sites are left with form-based authentication were the site has full control over the UI and UX. Sadly the browser has little to offer here to help the site or the user other then trying to identify signup and login forms through crude guesses based on password field existence.

There is no standardized way for sites and browsers to work together.
Here is a list of attempts to solve some of the above issues:
Federations have their drawbacks too. Even Facebook login went dark for 4h a while ago which left sites depending on Facebook without user login.

In general there is this chicken-egg problem:
Why should sites support new-mechanism-foo when there is no browser support.
Why should browsers support new-mechanism-foo when there are no sites using it.

Then there are password stores. I use passwordsafe to store my password in one place. If I do not have access to that place (PC) then I can't login. Bummer.
Others use stores hosted on the Internet and those usually support most browsers and OSses through plugin/addons and non standard trickery.
I never could convince myself to trust the providers.

So. Drum-roll.
I started to work on a mechanism that has a password store on the mobile which allows you to login on your PC using your PC's camera.

The user story is as follows:
  1. browse to a site's login page e.g. https://github.com/login
  2. have my Firefox addon installed
    https://github.com/AxelNennker/qrcodelogin
  3. click on the addon's icon
  4. present your credential-qrcode to the PC's camera
  5. be logged in
Here is an example qrcode containing the credentials as a JSON array
["axel@nennker.de","password"]:

    The qrcode could be printed on paper or generated by your password store on your mobile. To help the user with the selection of the matching credentials the addon presents a request-qrcode to be read by the mobile first. This way the mobile ID-client can select the matching credentials.
    (If you don't like to install addons to test this and for a super quick demo of the qrcode reading using your webcam please to to http://axel.nennker.de/gum.html and scan a code)

    What are the benefits?

    x-auto-login at Mozilla Services?

    As I described here

    http://ignisvulpis.blogspot.de/2014/11/x-auto-login-at-google.html

    Google is using a proprietary HTTP header named x-auto-login to log you into Google services like GMail using your local Android account.
    This is cool.

    Browse to a Google website and be logged in without the need to remember the super secure password. Sadly this is a closed system as we learned when implementing this for Firefox for Android (Fennec).
    See https://bugzilla.mozilla.org/show_bug.cgi?id=1030650

    Yes, Fennec can talk to the Authenticator and ask for a "weblogin:" token for "com.google" but the Authenticator answers differently depending on who asks. If Chrome is asking then the returned token redirects you to https://accounts.google.com/ and immediately logs you in, but when you'r Fennec then you are just redirected to https://accounts.google.com/ and have to enter username and password. Bummer.

    Anyway: How about using this scheme for Mozilla services and using a Mozilla account on the device or local to the browser (Firefox Sync) if available.
    Continue reading "x-auto-login at Mozilla Services?"

    X-Auto-Login at Google

    Below you can find evidence that Google is using the X-Auto-Login header in production.
    Please see my other post for context: http://ignisvulpis.blogspot.de/2014/09/deviceautologin.html
     I am using "wget" to get gmail web page and the HTTP response contains the X-Auto-Login header.

    I think that Google should standardize this.
    Currently Google is using OpenID2 here but it is probably ease to standardize this with OpenID Connect.

    ignisvulpis@namenlos:~/mozilla-central$ wget -S https://mail.google.com/mail --user-agent="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"
    --2014-11-03 12:23:50-- https://mail.google.com/mail
    Connecting to 212.201.109.5:8080... connected.
    Proxy request sent, awaiting response...
    HTTP/1.1 302 Moved Temporarily
    Content-Type: text/html; charset=UTF-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 03 Nov 2014 11:23:51 GMT
    Location: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=googlemail&emr=1
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1;
    Continue reading "X-Auto-Login at Google"

    DeviceAutoLogin

    Maybe you are an Android user and wondered how sometimes the browser logs you in without asking for a password?

    Well, I wondered but never found the time to investigate.

    Thanks to the awesome W3C Web Cryptography Next Steps Workshop and thanks to the usual jet-lag I found that time now. First I thought that this is Google-ism "Chrome does some questionable proprietary trick and knows just how to login to Google accounts". That is half-true.

    There is chatter on the chromium list but I seems that the Android browser knows this trick since 2011 and Chrome for Android was released in 2012.

    So how does it work?
    1. a site responds with a special HTTP header "X-Auto-Login" 
    2. the browser sees that header 
    3. the browser asks the device's account system for local accounts for the realm parameter of the header (e.g. realm=com.google) 
    4. the browser asks for a special kind
      Continue reading "DeviceAutoLogin"

    Web Identity Restart?

    Well, how can you restart something that never started? ... Never mind.

    I am wondering whether it makes sense to have a W3C workshop on "Internet Identity" again. http://www.w3.org/2011/identity-ws/

    My impression in 2011 was that the common ground was not very broad so the group decided to launch the W3C WebCrypto working group because all agreed that crypto is a precondition to web identity. Now, three years later I do not see much progress in web crypto or web identity (for that matter).

    In the meantime the FIDO alliance was established which has HW-based authentication but a license model that requires that implementers are a FIDO alliance member. That is the opposite of a web standard.

    So I think that the WebCrypto WG will not give us "identity for the web". Signing/verification/encryption/decryption are too low level and too easy to use wrong. This is not the way to web
    Continue reading "Web Identity Restart?"

    ACM Digital Identity Management

    The call for papers to ACM Digital Identity Management is open http://cccs.ncl.ac.uk/dim2013/

    "Identity at the Crossroads"

    This workshop will explore crucial issues concerning interoperable identity management technologies for the information society.
    Identity management has seen a series of development in the recent years. Whereas identity management and federation standards have been solidified and adopted in practice, nations world-wide are investing in electronic identity systems as strong root identities for their citizens offering a promise for strong authentication. Privacy-enhancing identity systems have reached some technical maturity and may offer user authentication with minimal disclosure. At the same time, personal identifiable information and the user's identity has become a commodity to drive the business of global corporations. Whereas such companies sought to bind the users accounts to their unique identity, there has been a reported unrest and anxiety of users because of their diminishing privacy protection.
    We see identity
    Continue reading "ACM Digital Identity Management"

    HTTPS EveryWhere Kantara Initiative

    I noticed that when I am logged into https://idp.kantarainitiative.org/ and I then access documents
    on kantarainitiative.org there is no SSL protection. This is probably not good.

    HTTPS Everywhere to the rescue!
    HTTPS Everywhere Logo


















    I added my own rule to the HTTPS Everywhere Firefox addon. (Works in Firefox 21.0)

    <ruleset name="KantaraInitiative">
     <target host="www.kantarainitiative.org" />
     <target host="kantarainitiative.org" />
     <target host="idp.kantarainitiative.org" />

     <rule from="^http://idp.kantarainitiative.org/" to="https://idp.kantarainitiative.org/"/>
     <rule from="^http://(www.)?kantarainitiative.org/" to="https://kantarainitiative.org/"/>
    </ruleset>

    Put the above ruleset into the Firefox Profile folder into a file named e.g. kantarainitiative.xml.
    On Windows it should be located in a folder similar to this location:
    D:Usersnennker.axelAppDataRoamingMozillaFirefoxProfilesuzmmhdde.defaultHTTPSEverywhereUserRules
    Now whenever I visit Kantara HTTPSEverywhere redirects Firefox to the SSL protected service.

    Support EFF!


    Android SSO

    The documentation of Android's AccountManager is infamously uninformative. AccountManager is available since API level 5 and I got the impression that Google changed it a lot. I am not sure whether it is still work-in-progress. Probably.

    So how does Google do SSO for their own services? Not long ago Google introduced Google Play Services

    Google Play Services contains an Authenticator that handles all Accounts for "com.google". The Google apps like GMail etc query this Authenticator for access tokens using the Authenticators getAuthToken method. The application can then use this access token to access the API of its backend server.

    How can this be secure? How does the Google Play Services SDK (GoogleAuthUtil) know that GMail is a trusted app?
    I am guessing here but I think that Google uses the same mechanism that Google recommends for developers. The keys used to sign an Android app are retrievable by the
    Continue reading "Android SSO"

    Google: Standardizing Payments on the Web: Introducing requestAutocomplete()

    Google is taking huge steps to simplify payments. Which is great!

    If you have about 25 minutes then watch this presentation.

    The major takeaways:
    • Sites should use standardized names for form input field's autocomplete attributes.
      <input id="nme" name="username" autocomplete="full-name">
      id and name stay as they are but site owner should use standard values for autocomplete.
      WhatWG
    • The browser presents the user with a dialog that allows to choose between different sets of data; e.g. change to different shipping address.
    • On Chrome there is tight integration with Google Wallet and instead of your real credit card information a one time credit card is issued by the Google Wallet backend.
      Caveat: Google Wallet currently is US only!

    Google Wallet is only one data source for autocomplete. If Google Wallet is not available then Chrome's local autofill  data is used for autocomplete.

    Google said that they talked to other browser vendors but
    Continue reading "Google: Standardizing Payments on the Web: Introducing requestAutocomplete()"

    Google Wallet Objects

    During Google I/O there were several presentations about Google Wallet Objects.

    Although the documentation is not public one can get a few ideas what those objects are.

    What I find interesting is that we at T-Labs named the "things" inside our wallet "objects" too.


    Well, at first we just called them "cards" and the wallet is a card selector. The cards can be anything: payment cards, train tickets, loyalty cards, car keys, coupons. Everything that is in your wallet.

    Others called the "things" in the wallet "service". Some defined them just to be links to app on the same device as the wallet. Some defined them as meta data, that describes the service, the issuer, the service endpoints, the protocols needed to get tokens from the endpoints and so forth. Some objects contain code that is executed by the wallet.

    Our T-Labs wallet objects are currently called "items" and they
    Continue reading "Google Wallet Objects"

    FIDO Alliance

    I am not happy with the FIDO Alliance and their FAQ do not eliminate my concerns.

    The major concern beeing: "Why isn't this going straight to a standards body?"
    Their answer:
    The FIDO authentication protocol needs to be part of a standardized, interoperable ecosystem to be successful. Building this ecosystem requires the active commitment of everybody from hardware chipset vendors, to the manufacturers of back-end server systems. Coordination across the divergent interests of these players is a complex affair, and one that current technical standards bodies are not well suited to handle.
    The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to
    Continue reading "FIDO Alliance"

    Javascript API for OpenID

    Too long ago I wrote about an Javascript API for openid: all those NASCARs

    To repeat the main points:

    Sites currently have no easy way to detect support for openidThe site can detect support for openid like so:

    if (window.openid) { don't show the nascar }

    The DOM level API that allows the site to query the preferred identity provider looks like this:

    window.openid.getPreferredOpenidProvider(callback);
    In a world of oauth2 and openid connect this could be generalized to:
    https://openid.net/specs/openid-connect-standard-1_0.html#rf_prep

    var parameters = {};
    parameters.response_type="id_token";
    parameters.client_id="https://server.example.com/seminar/callback.html";
    parameters.request = "eyJhbGciOiJSUzI1NiIsIng1dSI6Imh0dHBzOlwvXC9nYWJ1bm9taS5uZXRcL3NlbWluYXJcL3JzYV9wdWJsaWNfa2V5LnBlbSJ9.ewoJInJlc3BvbnNlX3R5cGUiOiAiaWRfdG9rZW4iLAoJInNjb3BlIjogIm9wZW5pZCIsCgkiY2xpZW50X2lkIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvY2FsbGJhY2suaHRtbCIsCgkicG9saWN5X3VybCI6ICJodHRwczovL2dhYnVub21pLm5ldC9zZW1pbmFyL3BvbGljeS5odG1sIiwKCSJ1c2VyaW5mbyI6IHsKCQkiY2xhaW1zIjogewoJCQkibmFtZSI6IG51bGwsCgkJCSJlbWFpbCI6IG51bGwsCgkJCSJwaWN0dXJlIjogbnVsbAoJCX0KCX0sCgkicmVnaXN0cmF0aW9uIjogewoJCSJhcHBsaWNhdGlvbl9uYW1lIjogIlNhbXBsZSBTZW1pbmFyIiwKCQkibG9nb191cmwiOiAiaHR0cHM6Ly9nYWJ1bm9taS5uZXQvc2VtaW5hci9sb2dvLnBuZyIsCgkJIng1MDlfdXJsIjogImh0dHBzOi8vZ2FidW5vbWkubmV0L3NlbWluYXIvcnNhX3B1YmxpY19rZXkucGVtIgoJfQp9Cg.Faytuhwb2W4CWVz2-10umSieh-bqR7QXqU0bNF39u_D0mGoBD4e3X2b4jZNqPvPADSnQhlBGSJu189iFM5bwFzchnO-quCpj7T2CK_-wkrpL5LUn_WHYMmYlFadmb-a1p-TEo7exU9azMS9cT70-kHNqmTaJziZyiAMoJ0Q4TtyTt1Xbkknc_CQRug3ilNv3bEXSlOlva3HUOY7jQIbYMB3jDL3QxS1wbVYNAjOxCxCDmiNAUJA-BkYe6Tpyj-DUs57IM4wQSp64sqim8RqirJJfFb4bCbNTkC3G8sYfN2_1-qEDpOnWW7N3gjl174TWHbnzVLAZGg_rZm58-wHOLw";
    parameters.state="509b9cafd3119";
    parameters.nonce="509b9cafd34fd";

    window.openid.connect(parameters, oc_callback);
    The callback
    oc_callback
    would be called with one parameter.

    function oc_callback(resp) {
    // resp contains a signed then encrypted id_token in jw-* format
    // https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption
    // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature
    // state and nonce are inside the resp parameter too
    Continue reading "Javascript API for OpenID"

    ECDH-ES for JSON Web Encryption

    The JSON WebToken spec RECOMMENDS that ECDH-ES is implemented. Here we go:

    Here are the relevant snippets from the JWA spec:


    4.1. "alg" (Algorithm) Header Parameter Values for JWE
    alg Parameter ValueKey Encryption or Agreement Algorithm
    ECDH-ESElliptic Curve Diffie-Hellman Ephemeral Static, as defined in RFC 6090 , and using the Concat KDF, as defined in Section 5.8.1 of NIST.800-56A, where the Digest Method is SHA-256 and all OtherInfo parameters are the empty bit string


    4.6. Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES)


    This section defines the specifics of agreeing upon a JWE CMK with Elliptic Curve Diffie-Hellman Ephemeral Static, as defined in RFC 6090, and using the Concat KDF, as defined in Section 5.8.1 of NIST.800-56A, where the Digest Method is SHA-256 and all OtherInfo parameters are the empty bit string. The alg header parameter
    Continue reading "ECDH-ES for JSON Web Encryption"

    Playing with Google’s Identity Toolkit on openinfocard.org

    Today I retried Google's Identity Toolkit.
    https://developers.google.com/identity-toolkit/v1/acguide
    So I had to undust my rudimentary PHP knowledge and write some scripts and minimal html pages.


    Clicking the key hole icon opens the account chooser.

    I choose GMail and login to Google.


    This is the result page. My site now knows some attributes about me like verifiedEmail, display name and imageUrl etc.

    Next task: Repeat and rinse with http://accountchooser.net/

    Debugging OAuth2 SSL Connections

    Debugging SSL protected protocols like oauth2 can be a problem but it is not entirely impossible nor hard to do.

    One way to do it is to spoof the certificates the protocol relies on to protect the communication. The certificates are used by the client to verify that the server is the endpoint it is supposed to be talking to and to encrypt the communication. A good description for the Android operating system is given in this blog post (Intercepting and decrypting SSL communications between Android phone and 3rd party server). Nobody can blame Android for being picked here as an example and ways to do this exist for all operating systems. Yes, to install the certs you need root access; but it well may be that you have that and want to help a friend to debug their installed application on your phone. Even if the client
    Continue reading "Debugging OAuth2 SSL Connections"

    Identity Management @ RSA 2012 Europe

    Sharpen your keyboard and submit a paper for the Identity Management track at RSA Conference Europe 2012. The leading conference on security and all things you need to know.


    From the topic description: Identity Management
    Identity Management covers issues of access control, authentication, identification technologies & protocols. Sessions on Identity and Access Management (IAM) fit here, along with sessions on IAM standards and architecture. This topic also covers issues such as credential management, multifactor authentication and new methods of authentication.
    The Call for Speakers closes on Friday 18th May