Launch HN: SignAuth – A auth protocol bases on ed25519 high-security signatures
I built in 2006 the first Host-proof Hosting Online Password Manager, Passpack (it still exists, but I sold it in 2013). I am fascinated by security and obsessed with details.
Any major web service sends your password to their server in plain text. Only when the service receives the password, it derivates it and saves it in the database. What happens is a smart employee puts a backdoor at the beginning of the flow and steal your password? I worked in many large companies, and security is not what they would pretend it is. So, at the end of November, I decided to try a different authentication approach, using ED25519 Elliptic Curve. It took my one day to build the library, because I reused a library that I wrote for Secrez.
After using it for two months without having problems, I think it is time to talk about it.
If you visit https://signauth.cc you can find a brief introduction to the protocol, and you can see how it works.
The code is open-source at https://github.com/signauth, and there is also an Express-react boilerplate.
Any comment, opinion, suggestion, or critic is very welcomed. What happens if a smart employee puts a backdoor in the client code served to you? You can inspect the website and detect a backdoor. It is not easy, but nobody would risk to be caught doing that. On the server side, we have no possibility of knowing what happens. Also, you could use an extension to generate the signature. The password, in this case, would never be passed to the client.