[thelist] md5 javascript

Dejan Kozina dejan at kozina.com
Tue Sep 25 14:17:50 CDT 2007

Might be *somewhat* useful, if what you want is to prevent a 
"man-in-the-middle" attack on your login password from *casual* traffic 
lurkers without having to set up SSL on your server.

The thing is supposed to work this way:
1) You create an account on the server (securely, I hope). Your password 
is hashed server-side with one of the proposed methods. Only the hash is 
stored in the database.
2) You log into the website filling in the classic username/password 
form. A script takes your password field value, hashes it and sends to 
the server only the hash (and the username, of course). The server 
matches the hash with the one in the database - they're the same, you 
log in without sending your password thru the wires.

The good part:
- your password doesn't have to go anywhere, so anybody peeking at your 
network traffic won't have it served on a silver plate in plaintext;
- your password is not stored in plaintext server-side.

The bad part:
- disable client-side scripting and you either won't be able to login or 
the password will be sent in plaintex anyway;
- any attacker with enough reason to want your password and able to 
catch your network traffic wouldn't indeed need to know your password: 
he could simply create a fake form that sends your username and *the 
password hash* to the server.

Further reasoning on it:
- while you can't mathematically 'un-hash' a hashed string, you can 
indeed brute-force a short enough string hash: google for 'rainbow 
tables' and be duly worried;
- the source code being exposed means nothing: all decent hashing method 
  have been open source or otherwise public for a long time anyway both 
in concept and in practical implementations for many languages. Your 
security come from the mathematical proprieties of MDx and SHA-x, not 
the code being secret (this would be the infamous "security thru 
obscurity" approach, which is a big no-no in all things crypto).

In the end: it might hide your password from your workmate playing 
around with Ethereal. If you need real security, go SSL.

And I managed to write all this without having to look up the correct 
spelling of the 'algo, or algho...' thing (I'm lazy).


Fred Jones wrote:
>> i'm iffy about it, as its plain text JS and can be (not so) easily 
>> reverse engineered, no?
> JS without question exposes all of its code to the browser. There are 
> server side tricks one can do to hide it from other user agents, but 
> anyone who knows what they're doing can definitely get it.
> If you think about it--your browser reads the JS code and parses it, so 
> it's already been downloaded onto your machine. :)
> Fred, no JS nor security expert
Dejan Kozina Web design studio
Dolina 346 (TS) - I-34018 Italy
tel./fax: +39 040 228 436 - cell.: +39 348 7355 225 skype: dejankozina
http://www.kozina.com/  - e-mail: dejan at kozina.com

More information about the thelist mailing list