jauto

Do you remember your last time working on a new machine, typing thousands of passwords on every website you wanted to visit? it’s me again, I said it a moment ago…. Wouldn’t it be wonderful if you could authenticate once and then just say yes, it’s me again, I’d like to talk with you now…?

Talk…? Talking is one of the most popular ways of using the Internet. But - for some reason - you don’t need to provide your password every time you want to talk with another person. Somehow they know that it’s you. So why HTTP servers do not know? And why not to teach them how to do this?

There already exists a protocol (JEP-0070) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and “well-authenticated” XMPP user.

And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it’s not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don’t need to send any password to HTTP server - just tell the server: yes, I’m a happy Jabber user! and everything else will happen automatically.

Project

This page is dedicated to Summer of Code 2006 project, which aims to implement JEP-0070 in a way described above. The components include:

• Firefox extension: It will understand server’s offer to use this protocol and provide all data needed to start the authentication (like user’s JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
• Apache HTTPD module: It will ask user for their JID, pass it to XMPP server and then serve the requested resource (or not, if confirmation fails ;) )
• XMPP server component: It will will ask user to confirm the request made to HTTP server.

Why would users like this?

As already mentioned in the introduction, any way to reduce the number of passwords needed to be remembered is a blessing for a user. There are many methods to achieve this, but only solution described here has this unique combination of features:

same info everywhere

simply provide the same JID for every site: this can compete even with so widely used, so unsecure same-password-everywhere technique

same power everywhere

your XMPP account becomes a universal key, which is always with you

no passwords on the wire

there are no passwords at all

one click to authenticate

just send your JID to HTTP server (your XMPP-enabled browser will confirm your requests)