wongsyrone
commented
7 years ago 保护gui-config.json本来就是用户自己的责任,另外从没保存过各种hash之后的密码
Closed dongzhuoer closed 7 years ago
wongsyrone
commented
7 years ago 保护gui-config.json本来就是用户自己的责任,另外从没保存过各种hash之后的密码
wongsyrone
commented
7 years ago 因为生成主key要用这个密码,如果按你说的用hash怎么获取到原始的值?一般hash都是单向的,而编码是可逆的,但是编码再解码好像没什么用,徒增代码量处理没意义的东西。
另外shadowsocks-libev也没有你说的保护机制,作为参考实现的python版同样没有。
dongzhuoer
commented
7 years ago Ok. Then at least shadowsocks-windows should tell users that their password is saved in clear text in gui-config.json file. I perfer to announce it in the readme.md file.
dongzhuoer
commented
7 years ago You can edit the server program. Client and server both use sha-1 value to communicate.
wongsyrone
commented
7 years ago shadowsocks-windows should tell users that they password is saved in clear text
这个从最开始clowwindy的时代就是这么做的。
wongsyrone
commented
7 years ago Client and server both use sha-1 value to communicate.
你这个和两端设置一段同样的随机字符串有什么区别?
dongzhuoer
commented
7 years ago The user can set a password at server and remember it. When he want to add a new device or reinstall OS on a device. He can use the password, rather than login the server and copy that random string.
dongzhuoer
commented
7 years ago I understand that adding code is a hard thing. I mainly argue to add explanation to beginners.
breakwa11
commented
7 years ago 此需求不成立
As for 4.0.4, shadowsocks-windows saves password in clear text in gui-config.json file. I think it's very unsafe, since others may look for the file and know your password. If you use same password for many other accounts, it will be a catastrophe. Maybe shadowsocks-windows can save the sha-1 value so as to protect user's password.