Jump to content

Automated Web Sites

herme3

By herme3
in Computer Science

 Share

Recommended Posts

Klaynos

Klaynos

Posted
Posted
If you simply use JS encryption, a hacker can still catch the password between you and the server, and just resubmit it. There's no way to tell if the hash was sent as a result of being calculated through a form, or just being sent directly.

 

I never said it was good either! :P

 

Or infact worthfull in anyway.

Link to comment
Share on other sites
Dak

Dak

Posted
Posted
If you simply use JS encryption, a hacker can still catch the password between you and the server, and just resubmit it. There's no way to tell if the hash was sent as a result of being calculated through a form, or just being sent directly.

 

quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot.

 

not that making asymetric encryption keys sounds all that easy :D

Link to comment
Share on other sites
Klaynos

Klaynos

Posted
Posted
quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot.

 

not that making asymetric encryption keys sounds all that easy :D

 

Or the IP of the sending user, it's very very very falable though.

Link to comment
Share on other sites
RyanJ

RyanJ

Posted
Posted
quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot.

 

not that making asymetric encryption keys sounds all that easy :D

 

 

Don't forget with sufficient skill and a little knowledge in the language all these can be manipulated. The date and time objects in JS allow you to mess with dates so the hacker could set their own date ID, as for the IP they could intercept that too... Client side encryption is a bad idea period, if you want it - use SSL as was suggested earlier :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.