Encrypted login with JavaScript to reduce password-sniffing risk for HTTP sites
Closed, DeclinedPublic


We've done the occasional experiment based on using client-side hashing of the password, but implementing it means you have to be very careful about how you implement your password hashing and internal salting.

Greg Maxwell pointed out this cute little JavaScript RSA library: http://www.ohdave.com/rsa/

Using something like this would allow for submitting the password encrypted using a public key from the server; while this would not protect against any sort of active attack, it would prevent local network traffic sniffing from seeing plaintext passwords.

(Note that while an HMAC could help protect against replay, but you're still stuck with session hijacking.)

Version: unspecified
Severity: enhancement

bzimport set Reference to bz20187.
bzimport added a subscriber: Unknown Object (MLST).
brion created this task.Aug 11 2009, 11:04 PM

I'm just gonna WONTFIX this out; while it's plausible to protect against password sniffing, nobody seems willing to commit to it, and we've been pushing more SSL stuff which of course does a far better job of protecting your session.

Add Comment