Recent content by shanedk

Unless you want to set it up to use OAuth, you're going to have to run something on the backend. What technology is the server running?

And how would your newsreader know that happened? The newsreader is the issue.

I'm not even sure that it's possible, since the newsreader would have to be able to display a SQRL QR code and receive the authentication token. Remember that this is 1980s technology.

It's certainly possible for a malicious script to flood the server with tons of SQRL login requests, but that can also be done with anything else. A script can flood a server with bogus login requests with random usernames and passwords. DDoS mitigations are there to take care of that sort of...

I really don't understand the point of this feature. All they have to do is turn off the mixed-mode warning when the insecure resource is on localhost. They were supposed to do this a whole bunch of versions ago, but apparently it only applies to certain cases.

These are two completely different problems. You could use SQRL as a solution, but I wouldn't advise it.

I've gone through background.js a few times and it really isn't clear to me how to go about this. I can see the point you're talking about, but this needs to be a multi-step process after getting the user input: Read the encrypted identity from browser extension storage (I'm not sure exactly...

Personally, I don't think it's a great idea to make people type in the Rescue Code too often. Just more opportunities for keyloggers etc. Secrecy of the RC is crucial. But I think we at least need to be able to change passwords, and create a new password from the RC. The QuickPass would also be...

I could start with something relatively straightforward, like importing an identity with the password instead of requiring the Rescue Code.

Sounds great!

Is there a design document or something like that? With a lot of things being closed down due to coronavirus fears, I'll probably have some time to contribute to projects, but looking at the code I don't really see how to go about adding one of these new features into the design.

The web server running SQRL would allow it to communicate to websites using the SQRL API, which is incredibly easy for websites to implement. Alternately, a separate SQRL service/daemon would do the same thing. That's how this forum is set up, in fact.

I think you're just making things harder for yourself if you do it that way. It's easier IMO to have a single secure passphrase you use for all your SQRL clients. If you're worried about situations like a phone where it's easier to type, just make it a 5 diceword passphrase. It's not that...

The main issue is, we need servers to implement it so users can use it. But there just aren't enough server solutions right now. We need solutions as close to drop-in as possible for PHP and other server platforms. It does no good to convince a website to use it only for them to say "How do we...

The only part that requires HTTPS is the SQRL connection. The rest can be HTTP.