Recent content by shanedk

Yes, I can confirm that HTTPS-only mode breaks logins with 84. But it's not because of the localhost issue, which seems to be working fine (I get the green text on Steve's client). Rather, it's sending back the CPS link to the browser and Firefox chokes on it, for some reason. It works fine if...

Bug #1220810 is supposed to fix this. It hardcodes localhost to the loopback addresses. In the process, it makes localhost addresses Secure Context so it won't enforce HTTPS-Only on them. Apparently, there's still a bug with *.localhost subdomains, but that shouldn't affect SQRL.

You don't say what OS or client software you're using. If you're using Steve's Windows client, it makes a sqrl folder in My Documents. Your identity will be there in the form of a file ending in .sqrl.

On another site I visit (I won't get into specifics, it isn't about that) they were suspended by Google for completely bogus reasons and their site was taken down (the site was hosted with them). It only took a couple of days to straighten it out, and now the site's back. But apparently, being...

Does it work with the other clients, and only fails with the plugin?

I used Firefox. I just tried it with Chrome; it worked scanning the QR code from the Android client, but it still didn't work with the GRC client.

I was also unable to login with the GRC client. EDIT: It also failed with the Android client scanning the QR code.

The reason I say it's a kludge (and that is said with no disrespect whatsoever to @josecgomez, just the opposite in fact) is because it doesn't actually create an identity for the website. It creates one for the OAUTH provider and the site just uses it. It's not the relationship we ultimately...

It wasn't designed to work with OAUTH2. In fact, it was specifically designed not to need it. So this is a kludge. We need more server solutions built out.

Unless you want to set it up to use OAuth, you're going to have to run something on the backend. What technology is the server running?

And how would your newsreader know that happened? The newsreader is the issue.

I'm not even sure that it's possible, since the newsreader would have to be able to display a SQRL QR code and receive the authentication token. Remember that this is 1980s technology.

It's certainly possible for a malicious script to flood the server with tons of SQRL login requests, but that can also be done with anything else. A script can flood a server with bogus login requests with random usernames and passwords. DDoS mitigations are there to take care of that sort of...

I really don't understand the point of this feature. All they have to do is turn off the mixed-mode warning when the insecure resource is on localhost. They were supposed to do this a whole bunch of versions ago, but apparently it only applies to certain cases.

These are two completely different problems. You could use SQRL as a solution, but I wouldn't advise it.