Klaynos Posted October 1, 2006 Share Posted October 1, 2006 I am well aware of the points you both make, I'm just stating that it's technically, and easily achived to encrypt before sending. The best option is oc to use an ssl connection. Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted October 1, 2006 Share Posted October 1, 2006 If you simply use JS encryption, a hacker can still catch the password between you and the server, and just resubmit it. There's no way to tell if the hash was sent as a result of being calculated through a form, or just being sent directly. Link to comment Share on other sites More sharing options...
Klaynos Posted October 1, 2006 Share Posted October 1, 2006 If you simply use JS encryption, a hacker can still catch the password between you and the server, and just resubmit it. There's no way to tell if the hash was sent as a result of being calculated through a form, or just being sent directly. I never said it was good either! Or infact worthfull in anyway. Link to comment Share on other sites More sharing options...
Dak Posted October 1, 2006 Share Posted October 1, 2006 If you simply use JS encryption, a hacker can still catch the password between you and the server, and just resubmit it. There's no way to tell if the hash was sent as a result of being calculated through a form, or just being sent directly. quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot. not that making asymetric encryption keys sounds all that easy Link to comment Share on other sites More sharing options...
Klaynos Posted October 1, 2006 Share Posted October 1, 2006 quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot. not that making asymetric encryption keys sounds all that easy Or the IP of the sending user, it's very very very falable though. Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted October 1, 2006 Share Posted October 1, 2006 Then there'd have to be a way to decrypt it back to some sort of hash that stays the same, so you could check it to be valid. If that was possible, they could easily decrypt it to a plain hash, and then re-add new time/date data. Link to comment Share on other sites More sharing options...
RyanJ Posted October 2, 2006 Share Posted October 2, 2006 quick question: as long as the js encryption is asymetrical, could you include, as part of the encryption prosess, something dependant on, say, the time/date. thus, the password will not be the same twice, and resubmits would be easy to spot. not that making asymetric encryption keys sounds all that easy Don't forget with sufficient skill and a little knowledge in the language all these can be manipulated. The date and time objects in JS allow you to mess with dates so the hacker could set their own date ID, as for the IP they could intercept that too... Client side encryption is a bad idea period, if you want it - use SSL as was suggested earlier Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now