#1534 closed enhancement (wontfix)
[patch] Client-side encoding of admin logins
| Reported by: | Chris Beaven | Owned by: | Adrian Holovaty |
|---|---|---|---|
| Component: | contrib.admin | Version: | 0.91 |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, passwords are sent via plain text when logging in.
Even though HTTPS is the ultimate solution, it would still be far more secure for clients to be able to send a digest instead. This has been discussed in #61, but the ticket description doesn't cover this specifically.
The patch attached lets the client handle hashing the password first if Javascript is enabled.
Passwords will be upgraded to a new algorithm which uses a psuedo-random salt based on username. This way, the client can calculate the salt rather than require a challenge-response.
Rather than sending the database hash, the hash itself is hashed for extra security.
The server provides half a random salt in the login form and the client generates the other half.
The server checks first against this secure password, then falls back to the raw password.
Attachments (1)
Change History (9)
by , 18 years ago
| Attachment: | secure_login.diff added |
|---|
comment:1 by , 18 years ago
comment:2 by , 18 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I agree. HTTPS exists for a very good reason, and giving developers ways of working around a truely secure solution is encouraging the wrong type of behavior.
comment:3 by , 18 years ago
While I understand and accept the "wontfix", the right way and what will get implemented are two different things.
Perhaps the login form should be made to work only if HTTPS is being used :|
comment:4 by , 18 years ago
There are spy|malwares that once installed intercept whatever is submitted via forms and phone home. Hashing the information before doing it so avoids them.
HTTPS is a truly secure client-server solution but the 'net has other problems :)
comment:5 by , 18 years ago
Hashing at the client side will add nothing to the protection of the sites admin though, just wanted to point that out.
comment:6 by , 18 years ago
Well it will help the protection of a site's admin in the sense that there is less chance of an administrator's password being sniffed (unless a keylogger is being run).
My solution wasn't supposed to be just a work-around, as inerte@ pointed out. Extra security has always been a good thing in my books.
comment:7 by , 18 years ago
Ah, sorry boxed@, from reading your comment over at #61 I get what you mean now.
You are correct, this patch does not affect changing a password field via the administation interface. That could also be extended to do an initial client-side hash, but based on this wontfix it would be a pointless exercise.
So rather than looking in the corner of their browser for the well-known padlock to know their data is safe, they now have to read through javascript sources and decide if whether or not to trust the developer?
I don't like it. Using javascript for a solved problem "because you can" is not a good plan.