How do you send a password over the internet? You acquire a SSL certificate and let TLS do the job of securely transporting the password from client to server. Of course it’s not as cut-and-dry as I’m making it out to be, but the gist of it holds true and stood the test of time. This hasn’t always been this way though, and one incredibly popular storefront on the world wide web prefers to add a little extra to this day. I’ll be discussing Steam’s unique method of logging in their users, and go down a deep rabbit hole of fascinating implementation details.
Not exactly my cup of tea, but if there’s one thing I’ve learned over the years here at OSNews, it’s that the most obscure stuff can generate a lot of interest. So, here you go.
Browsers send passwords the same way as any other input fields and assume the transport layer encrypts it. Although widespread, this is not a great practice because it allows the website administrators to see the password and believe it or not this isn’t ideal. It’s better that the password be hashed and that not even the administrators can see it, and when I first glimpsed this article this is what I thought they were going to do. But no, they’re just applying RSA encryption.
As to why…well one problem with SSL certs is that we place a lot of trust in the CAs that sign them, some of which have broken this trust in the past. And while they’d probably never target Steam’s service, in general a certificate authority can conduct a successful man in the middle attack pretty easily (and using bog standard software like “squid”). So by relying on SSL, websites put the security of their user data in the hands of certificate authorities that we hope are trustworthy. Even CAs that are genuinely acting in good faith can make mistakes and some certificates have been granted for fraudulent parties.
By using their own encryption inside the SSL/TLS tunnel they make it harder still to get the data. But assuming the man in the middle attacker is able to modify contents in addition to simply decrypting it, they can technically use their access to replace steam’s RSA key with their own keys…so while it’s more difficult, it’s of limited benefit.
I’m not familiar with it, but my guess is that it may be a simple case of the steam client already using their home built RSA protocol. Then when they added the ability to login via the website they decided to keep the same authentication infrastructure/APIs and porting their RSA algorithm to the browser. So all this may have been done this way simply to be compatible with the steam client.