[UPHPU] RE: Javascript form validation [was Re: Posting a form]

Mac Newbold mac at macnewbold.com
Fri Feb 25 15:17:15 MST 2005 

Today at 12:32pm, Jeffrey Moss said:

> It does a really good job. It emulates SSL encryption by sending a seed (the 
> host key) to the client which gets hashed in with the plain text password they 
> enter.  If it is a man in the middle attack and someone has it out for you you 
> may be screwed, but the man in the middle would have to be running something 
> that searched http headers for fields with "pass" in them or something. On top 
> of that, he wouldn't know the password, he would only have a one-use pass key 
> to send back to the server, because in order to log back in a new key has to 
> be issued.
>
> Its detailed here: http://pajhome.org.uk/crypt/md5/
> and more specifically here: http://pajhome.org.uk/crypt/md5/chaplogin.html
>
> I originally discovered the idea when someone mentioned why hotmail and yahoo 
> allow you to log in using a non-ssl page. People can intercept your email 
> messages still but they wont know what your password is.

You are right that it is vulnerable to fewer attacks than just sending the 
password.

Does the one-time key work for one page-load, or for one login session? If 
the latter, then once they see the key, they don't need a password 
anyway. they can continue loading pages using the magic key until it 
expires or something.

> Sure SSL is better, but that's not always an option.

What, due to lack of funds? If you care enough to try to be secure, 
$50/year is well worth it for a real cert, and the professional image it 
portrays. How could it not be an option?

> I have a homegrown SSL 
> certificate on my webmail site that says "warning! this site may not be who 
> they say they are!" and most people would prefer no security over that.

Yeah, the warnings are lame, but you can get around them by having people 
accept your cert (once), then they never see the warning again.


> But you're changing the subject Mac, I'm talking about how great javascript 
> is, even for the simplest tasks. It is the ONLY way to get any sort of 
> procedural code running reliably on the client. I wouldn't count on flash like 
> I count on javascript.

Finally, something we agree on! :) I would _much_ rather use Javascript 
than Flash for running any sort of client side code.

However, I wouldn't count on anything done by client side code like I 
count on things done by server-side code.

Javascript is the best client-side web technology right now, but many many 
people use client-side programming to create gratuitous incompatibility, 
or use incorrectly try to use it in place of server-side programming.

I'm not trying end Javascript, just Javascript Abuse. It's an epidemic, 
and if we don't all do our part to stop it's spread, it will get worse 
and worse until catastrophe strikes and shakes people to their senses.

[For those who don't know me well enough to know, I'm half joking and 
sometimes prone to hyperbole, but I'm also at least half serious.]

Mac

--
Mac Newbold		MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com	http://www.macnewbold.com/

More information about the UPHPU mailing list