Ask HN: Login solution that encrypts requests using key received by Email?
Hi,
I have developed a solution that overcomes the risks of hijecking sessions using for example broken SSL or stealing JWT token by encrypting a line in every request differently using session key that is copied and pasted once on every browser which send via the Email.
Does anyone here need such thing? I want to offer it to newbies who hesitate from the cloud bills, using my own cloud and small could fee.
I don’t have a prototype yet but considering to make one. Are you guys with me? Do you want one? I think I follow the proposal, but I have a few questions. It sounds like you enter your email and then you'd get an email with the session key. You mention copy/paste, why not use a URL with the key embedded (typically after a # as this part stays on the client)? I think you'll need to send Javascript down to the client to perform the encryption. That code needs access to the session key. Unfortunately, if the SSL session is invalid (like a MITM attack using a self-signed cert) then the attacker can inject their own Javascript to steal your session key. Is the session key stored in local storage? Is anything protecting it there? I think, similar to a JWT, it can be stolen. This is unfortunately a hard problem you're trying to solve. The session key is for autofill, like what autofills during MFA. Whatever is stolen IS okay, because every request to the server encrypts using that session key which is stored in the cookie, the random string that the server send to the user inside a JWT, which can’t be modified and the server checks that the result of the encryption is what it supposed to be. The browser defends from stealing the cookie, however if SSSL is broken hackers can sniff anything they like. Which in this case will not help them anymore. And it’s easy to implement (for me) hence I want to offer it to novice users for a small cloud usage fee. Maybe like 5 dollars a month for 1000 requests, 15 dollars for 10,000 requests, 50 for 50,000 and 500 for standalone server. What do you say? So apparently I succeeded. Even though you told me it’s too complicated :) And I invite you to read about it, the service is called signmeonly.io I will make a demo hijecking myself account and how do I do it and show with example yo you guys how all of us are vulnerable.