I want to say that I appreciate Steve Gibson’s effort. We really need an easy way to create new accounts while protecting our privacy. I would love it if SQRL succeeded. Thinking about new ways to provide privacy and anonymity is is critical for an Internet Society.
After some of the responses to my previous post, I felt I should elaborate on my first post about SQRL and email – and why it’s a problem. If I see a problem, it is my duty to speak up and encourage further discussion. That’s how technology improves.
This post elaborates on the first issue I raised – about SQRL and email. I’m going to start by including some of the original words by Steve:
Steve Gibson says in SecurityNow #424
There may be places where we really need anonymity or just places where it’s not important that we be known, like making a posting to some random blog. I mean, I know that sometimes I’ll see someone’s blog posting, and I’ll note some errors that’ll stimulate me to want to reply. And so I start to reply, and suddenly it’s like, oh, you have to create an account. And it’s like, oh, my goodness. Then they want my email address, and I have to send them – then I’m going to get a link and have to verify myself, and they’re going to want this information. And I just say forget it. It’s not worth the overhead of having to essentially decloak myself for this, just to make a posting to someone’s blog.
(Emphasis is mine). I wanted to point out this passage because it helps describe the goal of SQRL. And in SecurityNow #425, Leo asks
It is a way of using either QR codes or some other secret that’s shared, authenticating yourself to web pages without giving – anonymously, effectively, without giving the web page any other information about you – right? – and not using a third-party service.
And Steve responds with “Right”.
And to make this point clear – SQRL lets you create an account without using an email address (a third-party provider) . It also lets you log in a second time using the same process. There are several advantages to SQRL when used this way:
- An email is not necessary
- You identity is hidden and your privacy is protected
- You don’t have to worry about thinking up a unique username
- You don’t have to worry about picking a bad password
- You don’t have to worry about account collisions (people with the same account name)
- It’s easy and almost seamless (just a click) to create the account.
I love the idea! But first – let’s examine the practicality of such a mechanism. Let’s assume for the moment that the protocol as described by Steve is perfect.But to be practical, it has to be useful for both the client (the end user) and the server (the owner of the web site). Any technology that solely focuses on just one side of this balancing act won’t succeed.
You see, my primary concern is not with the technology, but with the usability – especially from the perspective of the web site owner. Here’s one of the important questions a web-site owner must consider:
“How can I distinguish between a human and a spambot?”
The trouble is – SQRL by itself does not prove that you are a human. You can be a piece of software used by a spammer who wants to flood your web site with web spam. In the blink of an eye, comments on a web blog can be filled with advertizements for Viagra, weight loss products, etc. How can a web site owner prevent this? This topic came up in SecurityNow #425:
Leo: [SQRL] doesn’t change any of the stuff that a website would normally do. It could, or it doesn’t have to. Just as Facebook Connect, same thing. I mean, this is all – yeah. This is not new stuff. Now, I do find the spam question interesting. Is it possible, it would be, wouldn’t it, to robotically generate these logins?
Steve: Yes. So it does, yes, [SQRL] does nothing to defeat spam or spammers. You could just invent keys and just come in as a billion different individual people.
Steve admits that spambots is a problem for SQRL. Steve does say that website owners can use an email loop as a verification, or a CAPTCHA, if they want to prevent spammers. Problem solved right? Not really. CAPTCHA systems can be defeated. Check the wikipedia entry on defeating CAPTCHA. But even more importantly, CAPTCHA systems can be defeated by low paying “data entry specialists” in 3rd world countries, earning $50 a weak typing in responses to prove to the web sites the new accounts have a human associated with it: ( See this Data Processing Job for an example.) In other words, CAPTCHA technology doesn’t eliminate spammers. Ask yourself how many web sites ask for an email address to verify that you are human. In my experience, 95% of the web sites ask for an email instal of a CAPTCHA. There’s a very good reason for this – the web site uses a third party’s capability to detect and eliminate accounts attached to a spambot.
And Steve and Leo agree with this because they said
Leo: Well, it allows anonymity. But it’s not a requisite. I mean…
Steve: Correct, correct. So, for example, it’s a token that never changes that represents a user. A forum could require nothing but it, or they could still require an email address loop confirmation, or, more probable, a CAPTCHA. I mean, you might still require a CAPTCHA. Or you might use a CAPTCHA just once per ID, per SQRL ID. And as long as it’s not abused, as long as there are not too many incoming posts, then you would, like, not require a CAPTCHA every time. What this does is it provides a secure assertion of who you are to a website. What they choose to do with it is up to them.
Sowe are all in agreement. No problem, right?
Well, yes there is. Go back to the beginning of this post. The unique advantage to SQRL is anonymity – the ability to create new accounts without using a third party. If you wanted a seamless solution, we already have solutions – Facebook connect, Google+, etc. But there goes your anonymity. That’s why SQRL is great – it provides anonymity. But once you attach an email to the account – you don’t have anonymity any longer. You might as well use Facebook or Google+, because they are seamless while SQRL with an email verification is not.
To summarize, the main advantage (IMHO) of SQRL to a web site user is anonymity, yet web site owners need anti-spam solutions that are prevent this.
I summarized this in a table below, which describes eight different ways to create a new account. The ideal solution would have three “Yes’s” – but as you can see, there is no perfect solution. I wish there was. But nothing exists at this time.
|Seamless||No Third Party involvement||Prevents spambots|