(NOTE: the security hole in the original version of DSSID has been fixed. DSSID is now safe to use (as far as I know). If you find another security flaw (or any other bugs) please let me know.)
DSSID puts an RSA key in your browser so that you can log into sites without a user name and password. Your key becomes your identity. You still have a password, but it is only used to encrypt your key for extra security. Authentication does not depend on your password. Neither your key nor your password ever leave your machine, so even if hackers break into a site they can't steal your login credentials. DSSID can be the last login system you will ever need.
The easiest way to learn about DSSID is to try our demo. It won't look like much (there's no eye candy) but take a look at the source code to see how little of it there is.
<a href=https://secure.dswi.net/dssid/auth?url=CALLBACK_URL&ri=REQINFO>
where CALLBACK_URL is the url of your site, and REQINFO is a comma-separated list of additional information you are requesting like name and email (which are the only two items that are currently supported). In fact, you can copy the source of the demo page onto your own server, or even just onto your hard drive and it should still work (the demo uses Javascript to fill in the CALLBACK_URL field automatically). A user clicks on this link, which directs them to the DSSID site. They authenticate themselves, and their browser is then forwarded to the CALLBACK_URL along with a session identifier (SESSION_ID).
The last step in the process is to verify that the invocation of CALLBACK_URL was legitimate (because anyone can generate a link to CALLBACK_URL, not just the DSSID server). To do that, your application does an HTTP GET on:
https://secure.dswi.net/dssid/verify?sid=SESSION_ID
where SESSION_ID is the value that was sent as the form parameter to your CALLBACK_URL. If the session ID is valid, the DSSID server responds with "valid" plus a list of additional key-value pairs including the user's ID, a time stamp, and any additional information requested like name and email address, e.g.:
valid timestamp: 1348633351.79 uid: BWZDCYMEQR6VCISJKJKGDPBQ75R2F7XV name: Joe User sid: 72ZV7YXMJSHN35DG6RWSZHZWAPXCRGDLThat's it! No more password management, no more choosing a user name, no more "Sorry, that user name is unavailable."
In order to keep your private key secure, it is locally encrypted using AES-128.
NOTE: The "keep me logged in" feature at the moment keeps an unencrypted copy of your key in your browser's sessionStorage. This is a possible security risk because, while sessionStorage is supposed to be secure, it is actually not that hard to compromise. In particular, a malicious browser plug-in can easily access sessionStorage. If there is even the remotest change that you may have installed a malicious browser plug-in, or if you just want to be extra careful, do not use "keep me logged in" until I've had a chance to come up with a more secure implementation.
Please send comments and feedback to me at |
![]() |