Encrypted login with JavaScript to reduce password-sniffing risk for HTTP sites
Closed, DeclinedPublic


We've done the occasional experiment based on using client-side hashing of the password, but implementing it means you have to be very careful about how you implement your password hashing and internal salting.

Greg Maxwell pointed out this cute little JavaScript RSA library: http://www.ohdave.com/rsa/

Using something like this would allow for submitting the password encrypted using a public key from the server; while this would not protect against any sort of active attack, it would prevent local network traffic sniffing from seeing plaintext passwords.

(Note that while an HMAC could help protect against replay, but you're still stuck with session hijacking.)

Version: unspecified
Severity: enhancement

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz20187.
brion created this task.Via LegacyAug 11 2009, 11:04 PM
brion added a comment.Via ConduitOct 31 2011, 10:28 PM

I'm just gonna WONTFIX this out; while it's plausible to protect against password sniffing, nobody seems willing to commit to it, and we've been pushing more SSL stuff which of course does a far better job of protecting your session.

Add Comment