fermuch
commented
12 years ago I wish it helps you :)
Closed fermuch closed 12 years ago
fermuch
commented
12 years ago I wish it helps you :)
Self-Evident
commented
12 years ago Hey - thanks for the security update! I've looked for javascript hashing routines, but didn't find what I thought would would work. This one has potential, however, in order to keep OneFileCMS - one file, I'm gonna to try to incorporate this (or other) code directly into onefilecms.php, instead of linking to an external file.
However, a larger consideration is, according to all of the material on web security I've read, that encrypting/hashing anything with javascript is futile and provides no security benefit. It has to do with the fact that, outside of an SSL/TLS encrypted connection, packets are still "in plain text". That is, even though what you consider to be your password has been hashed and is not visible, the hash itself becomes the actual password as far as the server is concerned. So, someone sniffing your wifi packets, for instance (if they are unencrypted), can just grab and then use the hashed password to access your account (in this case, onefilecms).
On the other hand, I'm still going to look for a good javascript hash routine because there is is a small benefit to client side javascript hashing that most of the security literature seems to ignore, and that is: even if someone is able to grab the hashed password and use it to access whatever account you are using at that moment, the unhashed password is still unknown, so if you use that same (unhashed) password for other accounts, they are still secure. However, that assumes a reasonably secure hash routine is used. That is, a hash routine that can't be easily brute forced to determine the password that created a hash, and SHA-1 is not considered to be such a routine, unfortunately.
In any case, thanks again for the Spanish translation!
fermuch
commented
12 years ago Oh, now I see. Anyway, I wanted to offuscate the password a little, so no one can se that my password is "123456", for example. Your project helped me so much, and I saw this as a way to help you, so my only intention was to help you with your To-Do notes, I'm sorry. Maybe, I'll translate the language to Esperanto, but I'm not that good at Esperanto. I'll try my best :)
Self-Evident
commented
12 years ago Suggestions are always appreciated. Even when they are not used, good ideas still come from them.
I understand the desire to obfuscate the password, which is why I ended up doing a LOT of reading on the subject, and it took a while for me to realize the security limits of a non-SSL connection. I hope my earlier comment didn't sound discouraging, I just wanted to share what little knowledge I have on the subject. As for Esperanto - that would be awesome! I'm not sure how many web programmers out there that speak it, but, you never know!
Self-Evident
commented
12 years ago Hello Fernando!
I just wanted to say thanks again for the Spanish translation. And, ummm... if you have the time, to ask if you could translate some new lines? There are only a coulple...
...dozen. :)
If you don't have the time or whatever, no worries, I'll just use some online translation website - those are accurate, right??
In anycase, thanks!
David
PS: file attached
fermuch
commented
12 years ago Hello! Thanks for contacting me. I appreciate it a lot. I can translate the new lines, but you need to give me some time... (like a week). Please, don't use online translators. They suck! They're not just wrong, they're terrifying!
Self-Evident
commented
12 years ago Gracias! No hay prisa - tómese su tiempo. (Courtesy of Google Translate...)
----- Original Message ----- From: Fernando Mumbach Sent: 08/14/12 05:33 PM To: Self-Evident/OneFileCMS Subject: Re: [OneFileCMS] Added security to login page! (#10)
Hello! Thanks for contacting me. I appreciate it a lot. I can translate the new lines, but you need to give me some time... (like a week). Please, don't use online translators. They suck! They're not just wrong, they're terrifying!
Reply to this email directly or view it on GitHub: https://github.com/Self-Evident/OneFileCMS/pull/10#issuecomment-7741146
I encrypted the login password to sha1, so the data is not sent as clear text. If you send the password "password", the data will be sended as "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", and the server uses it as password (the server encrypts the "real" password automagically too)
I did it because of this:
Connection is not encrypted (doesn't use SSL), so passwords & usernames are sent in clear text during login. (However, this is true of most online login systems, unless SSL or the like is employed.)