Page MenuHomePhabricator
Create Task
Maniphest T22187

Encrypted login with JavaScript to reduce password-sniffing risk for HTTP sites
Closed, DeclinedPublic
Actions

Description

We've done the occasional experiment based on using client-side hashing of the password, but implementing it means you have to be very careful about how you implement your password hashing and internal salting.

Greg Maxwell pointed out this cute little JavaScript RSA library: http://www.ohdave.com/rsa/

Using something like this would allow for submitting the password encrypted using a public key from the server; while this would not protect against any sort of active attack, it would prevent local network traffic sniffing from seeing plaintext passwords.

(Note that while an HMAC could help protect against replay, but you're still stuck with session hijacking.)

Version: unspecified
Severity: enhancement

Details

Reference
bz20187

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:57 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz20187.
bzimport added a subscriber: Unknown Object (MLST).
brooke created this task.Aug 11 2009, 11:04 PM
brooke added a comment.Oct 31 2011, 10:28 PM

I'm just gonna WONTFIX this out; while it's plausible to protect against password sniffing, nobody seems willing to commit to it, and we've been pushing more SSL stuff which of course does a far better job of protecting your session.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL