[thelist] md5 javascript
Dejan Kozina
dejan at kozina.com
Tue Sep 25 14:17:50 CDT 2007
Might be *somewhat* useful, if what you want is to prevent a
"man-in-the-middle" attack on your login password from *casual* traffic
lurkers without having to set up SSL on your server.
The thing is supposed to work this way:
1) You create an account on the server (securely, I hope). Your password
is hashed server-side with one of the proposed methods. Only the hash is
stored in the database.
2) You log into the website filling in the classic username/password
form. A script takes your password field value, hashes it and sends to
the server only the hash (and the username, of course). The server
matches the hash with the one in the database - they're the same, you
log in without sending your password thru the wires.
The good part:
- your password doesn't have to go anywhere, so anybody peeking at your
network traffic won't have it served on a silver plate in plaintext;
- your password is not stored in plaintext server-side.
The bad part:
- disable client-side scripting and you either won't be able to login or
the password will be sent in plaintex anyway;
- any attacker with enough reason to want your password and able to
catch your network traffic wouldn't indeed need to know your password:
he could simply create a fake form that sends your username and *the
password hash* to the server.
Further reasoning on it:
- while you can't mathematically 'un-hash' a hashed string, you can
indeed brute-force a short enough string hash: google for 'rainbow
tables' and be duly worried;
- the source code being exposed means nothing: all decent hashing method
have been open source or otherwise public for a long time anyway both
in concept and in practical implementations for many languages. Your
security come from the mathematical proprieties of MDx and SHA-x, not
the code being secret (this would be the infamous "security thru
obscurity" approach, which is a big no-no in all things crypto).
In the end: it might hide your password from your workmate playing
around with Ethereal. If you need real security, go SSL.
And I managed to write all this without having to look up the correct
spelling of the 'algo, or algho...' thing (I'm lazy).
djn
Fred Jones wrote:
>> i'm iffy about it, as its plain text JS and can be (not so) easily
>> reverse engineered, no?
>
> JS without question exposes all of its code to the browser. There are
> server side tricks one can do to hide it from other user agents, but
> anyone who knows what they're doing can definitely get it.
>
> If you think about it--your browser reads the JS code and parses it, so
> it's already been downloaded onto your machine. :)
>
> Fred, no JS nor security expert
--
-----------------------------------------
Dejan Kozina Web design studio
Dolina 346 (TS) - I-34018 Italy
tel./fax: +39 040 228 436 - cell.: +39 348 7355 225 skype: dejankozina
http://www.kozina.com/ - e-mail: dejan at kozina.com
More information about the thelist
mailing list