[Linuxtrent] Re: Riflessione su bug openssl e open source
- From: Roberto Resoli <roberto@xxxxxxxxxxxxxx>
- To: linuxtrent@xxxxxxxxxxxxx,Guido Brugnara <gdo@xxxxxxxxx>
- Date: Sat, 12 Apr 2014 21:23:21 +0200
On 12 aprile 2014 14:30:05 CEST, Guido Brugnara <gdo@xxxxxxxxx>
...
>E' comunque possibile non trasmettere la password in chiaro, nemmeno
>via
>SSL, facendo generare una hash nel client (usando javascript)
Questo non migliora in nessun modo la sicurezza :
https://crackstation.net/hashing-security.htm
"
In a Web Application, always hash on the server
If you are writing a web application, you might wonder where to hash. Should
the password be hashed in the user's browser with JavaScript, or should it be
sent to the server "in the clear" and hashed there?
Even if you are hashing the user's passwords in JavaScript, you still have to
hash the hashes on the server. Consider a website that hashes users' passwords
in the user's browser without hashing the hashes on the server. To authenticate
a user, this website will accept a hash from the browser and check if that hash
exactly matches the one in the database. This seems more secure than just
hashing on the server, since the users' passwords are never sent to the server,
but it's not.
The problem is that the client-side hash logically becomes the user's password.
All the user needs to do to authenticate is tell the server the hash of their
password. If a bad guy got a user's hash they could use it to authenticate to
the server, without knowing the user's password!
"
> tale da
>avere una validità temporale limitata.
qui non ho capito cosa intendi
>Poi nel mondo reale c'è ancora chi conserva le password in chiaro sul
>DB :-(
Beh, certo, c'è di tutto in giro.
rob
--
Per iscriversi (o disiscriversi), basta spedire un messaggio con OGGETTO
"subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx
Other related posts:
