protection scripts

Discussion in 'HTML' started by shane turner, Mar 3, 2004.

  1. shane turner

    shane turner Guest

    Where can I get a secure password javascript?
    shane turner, Mar 3, 2004
    #1
    1. Advertising

  2. shane turner wrote:
    > Where can I get a secure password javascript?


    Nowhere. But a couple password scripts that'll fool a newbie are here:
    <http://javascript.internet.com/passwords/>


    Matthias
    Matthias Gutfeldt, Mar 3, 2004
    #2
    1. Advertising

  3. Andrew Urquhart, Mar 3, 2004
    #3
  4. shane turner

    Karl Core Guest

    "shane turner" <> wrote in message
    news:...
    > Where can I get a secure password javascript?


    You can't. Javascript authentication is not secure.


    --

    Karl Groves
    http://www.karlcore.com
    Karl Core, Mar 3, 2004
    #4
  5. don't use javascript as a mean to protect your site... it will not work

    shane turner schrieb:
    > Where can I get a secure password javascript?



    --

    bernhard
    ---
    www.daszeichen.ch
    remove nixspam to reply
    Bernhard Sturm, Mar 3, 2004
    #5
  6. Karl Core wrote:
    > "shane turner" <> wrote in message
    > news:...
    >> Where can I get a secure password javascript?

    >
    > You can't. Javascript authentication is not secure.


    This is a extremely popular Javascript myth, an implementation of the
    link I posted earlier in the thread can be seen here:
    http://pajhome.org.uk/crypt/md5/chaplogin.html
    --
    Andrew Urquhart
    Reply: www.andrewu.co.uk/about/contact/
    Andrew Urquhart, Mar 3, 2004
    #6
  7. Andrew Urquhart schrieb:
    >>
    >>>Where can I get a secure password javascript?

    >>
    >>You can't. Javascript authentication is not secure.

    >
    >
    > This is a extremely popular Javascript myth, an implementation of the
    > link I posted earlier in the thread can be seen here:
    > http://pajhome.org.uk/crypt/md5/chaplogin.html


    but you are using JS to produce an MD5 hash key on the client side, and
    then you still use server side protection measures (Perl/PHP/ASP/CF), as
    far as I understood the original post he wanted to have a full JS
    protection (read: all client side) (this might be mainly because he has
    no direct access to the webserver, or isn't familiar with ASP/PHP).
    but your solution seems to rely on server side implementation as well
    (correct me if I am wrong, I just had a brief look at your code).

    bernhard
    ---
    www.daszeichen.ch
    remove nixspam to reply
    Bernhard Sturm, Mar 3, 2004
    #7
  8. shane turner

    Dylan Parry Guest

    Andrew Urquhart wrote:

    > shane turner wrote:
    >> Where can I get a secure password javascript?

    >
    > http://pajhome.org.uk/crypt/md5/


    This uses JavaScript on the front-end, but still relies upon a server-side
    technology for its protection. In reality, a complete solution using JS
    does not exist, and cannot exist as long as the user can view the script
    source.

    --
    Dylan Parry
    http://www.webpageworkshop.co.uk - FREE Web tutorials and references
    Dylan Parry, Mar 3, 2004
    #8
  9. Dylan Parry wrote:
    > Andrew Urquhart wrote:
    >
    >> shane turner wrote:
    >>> Where can I get a secure password javascript?

    >>
    >> http://pajhome.org.uk/crypt/md5/

    >
    > This uses JavaScript on the front-end, but still relies upon a
    > server-side technology for its protection.


    In the other link I posted (BTW none of these links are mine) you'll see
    that that system needs to send the client a random piece of data to
    enable a reasonable level of security, so in this respect I agree with
    you that a server-side technology is required for its protection but
    somehow I don't think that's what you meant.

    > In reality, a complete
    > solution using JS does not exist, and cannot exist as long as the
    > user can view the script source.


    I have no problem with the user viewing the script source and in no-way
    does it compromise the security of the encryption method. You couldn't
    realistically claim that by reading PGP Corp's implementation of public
    key encryption (source available for download, see pgp.com) that it
    somehow compromised the algorithm.

    Security is not achieved by obscurity. Security is defined by the
    difficulty of going backwards through a one-way function.
    --
    Andrew Urquhart
    Reply: www.andrewu.co.uk/about/contact/
    Andrew Urquhart, Mar 3, 2004
    #9
  10. Andrew Urquhart schrieb:
    > Dylan Parry wrote:
    >
    >>Andrew Urquhart wrote:

    >
    > I have no problem with the user viewing the script source and in no-way
    > does it compromise the security of the encryption method. You couldn't
    > realistically claim that by reading PGP Corp's implementation of public
    > key encryption (source available for download, see pgp.com) that it
    > somehow compromised the algorithm.


    you are talking about encryption, but he wanted to have a password
    protection based on JS (I don't think that the original poster did even
    think about the possibility of encrypting the transmitted data).
    AFAIK there is no secure solution based entirely on JS. JS is entirely
    client side, but you can never achieve server side security with a
    client side technology (one reason lies in the fact that anyone can
    alter the JS code on the client side, and fake the protection
    alogrithm). Your proposed solution always includes server-side measures.

    bernhard
    ---
    www.daszeichen.ch
    remove nixspam to reply
    Bernhard Sturm, Mar 3, 2004
    #10
  11. Bernhard Sturm wrote:
    > Andrew Urquhart schrieb:
    >> This is a extremely popular Javascript myth, an implementation of the
    >> link I posted earlier in the thread can be seen here:
    >> http://pajhome.org.uk/crypt/md5/chaplogin.html

    >
    > but you are using JS to produce an MD5 hash key on the client side,
    > and then you still use server side protection measures
    > (Perl/PHP/ASP/CF), as far as I understood the original post he wanted
    > to have a full JS protection (read: all client side) (this might be
    > mainly because he has no direct access to the webserver, or isn't
    > familiar with ASP/PHP).
    > but your solution seems to rely on server side implementation as well
    > (correct me if I am wrong, I just had a brief look at your code).



    BTW The scripts are not mine, they're Paul Johnston's

    It's reasonable to assume that the OP wanted a complete client-side
    solution, but the OP didn't specify as such. The OP could have a
    cllient-side solution, albeit a severly limited one, with no web server
    needed to provide the random variable as in the CHAP implementation. For
    example: Use the other algorithms on the site to implement a public-key
    encryption system:

    1. View source of a webpage you'd like to encrypt.
    2. Offline encrypt the page source with the public key.
    3. Write a webpage with a script block containing both the unencryption
    algorithm (IIRC this may also be the same function as the encryption
    algorithm). In the script block store the encrypted page from step 2 as
    a variable.
    4. FTP the whole thing to a web server, and let people freely view the
    page.
    5. People with javascript enabled who happen to know the private key for
    the algorithm could enter the key into a form (say), whereupon the
    unencrypted variable is unpacked into the webpage originally viewed in
    step 1, the DOM of the current page could them be updated with the
    unencryption result.
    6. Despite sending the page over insecure means and using "insecure"
    javascript the original content cannot be accessed unless the private
    key is known (or you have a *very* powerful supercomputer).
    7. The caveat: viewers need to know the private key independently of the
    process - e.g you snail mail it to them it :eek:)

    For more information on javascript encryption visit
    http://pajhome.org.uk/crypt/md5/index.html, the " Users of my Script"
    section is a brief but interesting read.
    --
    Andrew Urquhart
    Reply: www.andrewu.co.uk/about/contact/
    Andrew Urquhart, Mar 3, 2004
    #11
  12. shane turner wrote:
    > Where can I get a secure password javascript?


    ASP

    can't think of any others.

    --
    William Tasso
    William Tasso, Mar 3, 2004
    #12
  13. shane turner

    shane turner Guest

    "Karl Core" <> wrote in message news:<c24i4k$nt5$>...
    > "shane turner" <> wrote in message
    > news:...
    > > Where can I get a secure password javascript?

    >
    > You can't. Javascript authentication is not secure.


    Know any more secure methods? I don't know ASP though
    shane turner, Mar 4, 2004
    #13
  14. shane turner

    Mark Parnell Guest

    On 4 Mar 2004 02:52:59 -0800, (shane turner)
    declared in alt.html:

    > Know any more secure methods? I don't know ASP though


    Has to be something server-side. ASP, PHP, Perl, even .htaccess (for
    basic authentication, anyway). Take your pick. :)

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
    Mark Parnell, Mar 4, 2004
    #14
  15. shane turner

    shane turner Guest

    Mark Parnell <> wrote in message news:<>...
    > On 4 Mar 2004 02:52:59 -0800, (shane turner)
    > declared in alt.html:
    >
    > > Know any more secure methods? I don't know ASP though

    >
    > Has to be something server-side. ASP, PHP, Perl, even .htaccess (for
    > basic authentication, anyway). Take your pick. :)


    Got any examples of Perl login scripts?
    shane turner, Mar 5, 2004
    #15
  16. shane turner

    Andy Dingley Guest

    On Wed, 3 Mar 2004 13:48:29 -0000, "Andrew Urquhart"
    <> wrote:

    >Security is not achieved by obscurity.


    Seems like a popular technique for architecting XSLT though.

    document() inside a loop ! I ask you....




    --
    Smert' spamionam
    Andy Dingley, Mar 6, 2004
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. g
    Replies:
    69
    Views:
    2,154
    Oliver Wong
    Apr 25, 2006
  2. Jan Danielsson
    Replies:
    8
    Views:
    613
    Mike Meyer
    Jul 22, 2005
  3. Jp Calderone
    Replies:
    0
    Views:
    445
    Jp Calderone
    Jul 21, 2005
  4. davidj411
    Replies:
    0
    Views:
    483
    davidj411
    Jun 27, 2008
  5. Replies:
    13
    Views:
    516
    Anno Siegel
    Sep 10, 2007
Loading...

Share This Page