Yes, I can confirm that HTTPS-only mode breaks logins with 84. But it's not because of the localhost issue, which seems to be working fine (I get the green text on Steve's client).
Rather, it's sending back the CPS link to the browser and Firefox chokes on it, for some reason. It works fine if...
Bug #1220810 is supposed to fix this. It hardcodes localhost to the loopback addresses. In the process, it makes localhost addresses Secure Context so it won't enforce HTTPS-Only on them. Apparently, there's still a bug with *.localhost subdomains, but that shouldn't affect SQRL.
You don't say what OS or client software you're using. If you're using Steve's Windows client, it makes a sqrl folder in My Documents. Your identity will be there in the form of a file ending in .sqrl.
On another site I visit (I won't get into specifics, it isn't about that) they were suspended by Google for completely bogus reasons and their site was taken down (the site was hosted with them). It only took a couple of days to straighten it out, and now the site's back.
But apparently, being...
The reason I say it's a kludge (and that is said with no disrespect whatsoever to @josecgomez, just the opposite in fact) is because it doesn't actually create an identity for the website. It creates one for the OAUTH provider and the site just uses it. It's not the relationship we ultimately...
It wasn't designed to work with OAUTH2. In fact, it was specifically designed not to need it. So this is a kludge. We need more server solutions built out.
I'm not even sure that it's possible, since the newsreader would have to be able to display a SQRL QR code and receive the authentication token. Remember that this is 1980s technology.
It's certainly possible for a malicious script to flood the server with tons of SQRL login requests, but that can also be done with anything else. A script can flood a server with bogus login requests with random usernames and passwords. DDoS mitigations are there to take care of that sort of...
I really don't understand the point of this feature. All they have to do is turn off the mixed-mode warning when the insecure resource is on localhost. They were supposed to do this a whole bunch of versions ago, but apparently it only applies to certain cases.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.