What SQRL Apps Are You Using
-
For @Dashrender and others pushing the "hard to believe it's real" SQRL protocol that Steve Gibson talks about, what client side apps are you using? The information site has no details on implementation, nor does their community's links to a download page. There is minimal information about what SQRL is in theory, but I see no details of implementation. There is an Windows executable, but that doesn't help for something that is supposed to require a phone app.
So for the people pushing this security mechanism, how are you using it?
-
Nothing yet.
-
I'll do my best to just stop talking about it until it's dropped for public consumption.
-
@Dashrender said in What SQRL Apps Are You Using:
Nothing yet.
I think it's too early for this then. Reading all of the stuff I can find on it from Gibson himself, it appears to be a parody site. The website itself is a total joke and seems designed to make sure people know that it is a parody. The protocol was announced six years ago and no one seems to have talked about it since the original news sites were trolled back in 2013. The system from its description seems to solve no issue, just makes normal things that are easy today unnecessarily complex.
-
@Dashrender and I have been researching and I am pretty confident that SQRL was proposed and abandoned in 2013. All of the sites and info around it are from then, with no actual material updates. A few people are still talking about it, like this thread, but by and large it appears to have been so silly that everyone realized it would go nowhere and gave up six years ago. But sites stay up because you have to take them down for them to go away and so sometimes it looks like there is current info when there isn't.
-
This is the site for the code...
-
New images and PDFs being made, no SQRL stuff though.
-
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
-
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
Nothing anonymous about it, we've been discussing that. Login and anonymous can't go together, it makes no sense. The act of logging in makes you not anonymous.
No one is working on it because it has no purpose that we've come up with yet.
-
-
-
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
-
@scottalanmiller said in What SQRL Apps Are You Using:
No one is working on it because it has no purpose that we've come up with yet.
And Scott and I disagree with this.
If you can get users to use LastPass - which I'll admit is hard at best. You can get them to use this even easier solution - assuming everyone supports it.
-
@Dashrender said in What SQRL Apps Are You Using:
If you can get users to use LastPass - which I'll admit is hard at best. You can get them to use this even easier solution - assuming everyone supports it.
But it isn't easier, it's harder. There is no easier.
-
@Dashrender said in What SQRL Apps Are You Using:
If you can get users to use LastPass - which I'll admit is hard at best. You can get them to use this even easier solution - assuming everyone supports it.
But it is never easier, always harder. That's a big key to why it's a bad idea. There isn't any component of it that is easier than what we already have, but lots of pieces are much harder.
-
@Dashrender said in What SQRL Apps Are You Using:
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
Actually they could, if it had any value. They could make a lot off of it. It's because it doesn't do anything useful that it has no value. OAuth already does all the good parts of SQRL and fixes the "not easy" problems.
-
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
Actually they could, if it had any value. They could make a lot off of it. It's because it doesn't do anything useful that it has no value. OAuth already does all the good parts of SQRL and fixes the "not easy" problems.
No it doesn’t because oauth gives the control to that third party, it’s not trust no one.
-
@Dashrender said in What SQRL Apps Are You Using:
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
Actually they could, if it had any value. They could make a lot off of it. It's because it doesn't do anything useful that it has no value. OAuth already does all the good parts of SQRL and fixes the "not easy" problems.
No it doesn’t because oauth gives the control to that third party, it’s not trust no one.
SQRL does that too.
-
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
Actually they could, if it had any value. They could make a lot off of it. It's because it doesn't do anything useful that it has no value. OAuth already does all the good parts of SQRL and fixes the "not easy" problems.
No it doesn’t because oauth gives the control to that third party, it’s not trust no one.
SQRL does that too.
What no it doesn’t. You are the only one with your private key and everything is done on the fly based on that. No third party is ever involved.
-
@Dashrender said in What SQRL Apps Are You Using:
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@scottalanmiller said in What SQRL Apps Are You Using:
@Dashrender said in What SQRL Apps Are You Using:
@coliver said in What SQRL Apps Are You Using:
What's seems odd to me (even though it probably isn't) is that there are no major players also working on this in tandem. If this is supposed to be the next iteration of anonymous login there are a ton of security adjacent vendors that would love this.
No, they wouldn't because they can't make money off of it.
Actually they could, if it had any value. They could make a lot off of it. It's because it doesn't do anything useful that it has no value. OAuth already does all the good parts of SQRL and fixes the "not easy" problems.
No it doesn’t because oauth gives the control to that third party, it’s not trust no one.
SQRL does that too.
What no it doesn’t. You are the only one with your private key and everything is done on the fly based on that. No third party is ever involved.
That's the impression that they like to give, but it doesn't work that way. To share identities or have any "easy" between sites, it is still sharing just like OAuth (Actually, they state that they are just extending OAuth.)
So with SQRL you always have to trust at least one source, and if you want the features that most people want, then you have to trust a third party as well. The SQRL key carries no info, so is nothing more than a cookie, so requires the same third party sharing that we have now,. It's just a cookie that doesn't automatically get conveyed between unrelated sites.