Hey all,
I am a Security Now podcast listener and am new to security. I do web development and after hearing about SQRL I had an idea for a feature I think would be neat.
The idea is to remove web server data security management by leaving it to the SQRL clients. Let's say the a webpage wants to send secure data back to the server. The process would work like this:
1) The webpage makes a call to a SQRL API client side that does the following:
- accepts the plaintext data as input
- returns the ciphertext (how the data gets encrypted with the user's identity is beyond my knowledge)
- from my understanding, the SQRL clients register the sqrl:// protocol, so adding a new route should be possible
2) The webpage then sends the encrypted data to the server. This allows the server to care far less about securing that data because even if it gets out it is worthless to anyone but this specific SQRL user.
3) When a webpage wants to get the plaintext data back they can make a second SQRL API to reverse the process
I think SQRL alone is awesome but an additional feature like this, I believe, would give developers an even greater reason to start using it, as securing data is one of the most difficult things to manage in organizations. Furthermore, using SQRL to manage secure data both forces users to use SQRL more and puts a user's data security in their own hands instead of having to depend on organizations.
Let me know if this is even possible to do using a SQARL identity,
Thanks,
John Gagliardi
I am a Security Now podcast listener and am new to security. I do web development and after hearing about SQRL I had an idea for a feature I think would be neat.
The idea is to remove web server data security management by leaving it to the SQRL clients. Let's say the a webpage wants to send secure data back to the server. The process would work like this:
1) The webpage makes a call to a SQRL API client side that does the following:
- accepts the plaintext data as input
- returns the ciphertext (how the data gets encrypted with the user's identity is beyond my knowledge)
- from my understanding, the SQRL clients register the sqrl:// protocol, so adding a new route should be possible
2) The webpage then sends the encrypted data to the server. This allows the server to care far less about securing that data because even if it gets out it is worthless to anyone but this specific SQRL user.
3) When a webpage wants to get the plaintext data back they can make a second SQRL API to reverse the process
I think SQRL alone is awesome but an additional feature like this, I believe, would give developers an even greater reason to start using it, as securing data is one of the most difficult things to manage in organizations. Furthermore, using SQRL to manage secure data both forces users to use SQRL more and puts a user's data security in their own hands instead of having to depend on organizations.
Let me know if this is even possible to do using a SQARL identity,
Thanks,
John Gagliardi