Comparing Hashed Passwords - Part 2
-
Joking again? (That's precisely what HTTPS does.)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
No, not joking. HTTPS has been proven insecure (there was a big kerfuffle over that realization a couple of years ago), so why solely rely on it? It shouldn't be difficult to set up.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
No, not joking. HTTPS has been proven insecure (there was a big kerfuffle over that realization a couple of years ago), so why solely rely on it? It shouldn't be difficult to set up.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013John Simmons / outlaw programmer wrote:
HTTPS has been proven insecure
That's a pretty bold claim. Do you have a link to back that up?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
No, not joking. HTTPS has been proven insecure (there was a big kerfuffle over that realization a couple of years ago), so why solely rely on it? It shouldn't be difficult to set up.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013There were some protocol downgrade attacks, but that should not happen on a modern machine. So, which insecurity?
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
There were some protocol downgrade attacks, but that should not happen on a modern machine. So, which insecurity?
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
I don't recall specifically. In the end, there's absolutely nothing wrong with an additional layer of security. I was just tossing the idea out there.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
John Simmons / outlaw programmer wrote:
HTTPS has been proven insecure
That's a pretty bold claim. Do you have a link to back that up?
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
No, but I'm almost positive you have access to google. I don't recall the specifics.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
No, but I'm almost positive you have access to google. I don't recall the specifics.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013I've seen a few conspiracy nuts claiming that HTTPS is an NSA / Google plot to destroy the internet, but their claims are just laughable. :) Troy Hunt: Don't Take Security Advice from SEO Experts or Psychics[^] HTTPS Anti-Vaxxers; dispelling common arguments against securing the web[^] Beyond that, as Eddy said, there were a couple of downgrade attacks which would make your request slightly less secure - but still more secure than not using HTTPS in the first place. Those have been fixed now, but I suppose there could be others which haven't been discovered yet. But as Griff said, encrypting things in Javascript means the encryption key has to be public, so it doesn't really add any benefit.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
I don't recall specifically. In the end, there's absolutely nothing wrong with an additional layer of security. I was just tossing the idea out there.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013John Simmons / outlaw programmer wrote:
In the end, there's absolutely nothing wrong with an additional layer of security.
There is! It adds complexity, a point of failure, and hence, a point of attack. Think of it as using two condoms; you think you're safer, while the integrity of both lubbers is not guaranteed.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^] "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
I've seen a few conspiracy nuts claiming that HTTPS is an NSA / Google plot to destroy the internet, but their claims are just laughable. :) Troy Hunt: Don't Take Security Advice from SEO Experts or Psychics[^] HTTPS Anti-Vaxxers; dispelling common arguments against securing the web[^] Beyond that, as Eddy said, there were a couple of downgrade attacks which would make your request slightly less secure - but still more secure than not using HTTPS in the first place. Those have been fixed now, but I suppose there could be others which haven't been discovered yet. But as Griff said, encrypting things in Javascript means the encryption key has to be public, so it doesn't really add any benefit.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
encrypting things in Javascript
We're in the C# forum so you'll have to excuse the assumption that we were talking about C#. JavaScript is evil and should be avoid at all costs. I equate it to using Active-X in regards to evility.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Richard Deeming wrote:
encrypting things in Javascript
We're in the C# forum so you'll have to excuse the assumption that we were talking about C#. JavaScript is evil and should be avoid at all costs. I equate it to using Active-X in regards to evility.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013OriginalGriff wrote:
If it's a website, …
I was assuming we were talking about a website, where encrypting things on the client would mean using Javascript. I guess it's true what they say about "assume". :laugh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Richard Deeming wrote:
encrypting things in Javascript
We're in the C# forum so you'll have to excuse the assumption that we were talking about C#. JavaScript is evil and should be avoid at all costs. I equate it to using Active-X in regards to evility.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013Trouble is that when you start talking about passwords, and "back end" or client / server architecture, nearly all the time you are talking about a javascript based client (which while execrable is vastly safer than Active-bloody-X was) - and that means public source code, and public encryption. Nasty. X|
Sent from my Amstrad PC 1640 Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
-
No, not joking. HTTPS has been proven insecure (there was a big kerfuffle over that realization a couple of years ago), so why solely rely on it? It shouldn't be difficult to set up.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013You're confusing specific issues with general insecurity. HTTPS over SSL has been prohibited,. TLS should use version 1.2 or later (with no fallback to SSL.) Heartbleed was a vulnerability in OpenSSLs implementation of TLS heartbeats, which has been fixed. HTTPS over TLS is secure (for now; all security can, and will, be broken in time.)
