Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

JavaScript Forum


You are currently viewing our JavaScript Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > JavaScript Forum > Can js hash or encrypt data

Reply
Can js hash or encrypt data
Old 02-27-2007, 04:48 PM Can js hash or encrypt data
Learning Newbie's Avatar
Defies a Status

Latest Blog Post:
Astounding Republican Paranoia
Posts: 5,662
Name: John Alexander
Trades: 0
Talkupation: Learning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond reputeLearning Newbie has a reputation beyond repute
I read a MSDN case study of a web system build using ASP.NET, and I have to say I'm appalled. I'm also not an expert in javascript, I've learned what I need to get by, and I'm using the solution Microsoft seems to recommend.

My login page has two asp.net textbox server controls, one for username and another for password, and when the login button is clicked, these are sent, plaintext, to the server. Then the server calculates an MD5 hash for the password and compares this against the database to see whether the user has entered the correct word or phrase.

Now for a tiny little site like mine with zero IBLs that's fine. But it's not a solution. Surely, you must be able to do the hashing on the client side before sending it out over the network for any hacker with a sniffing tool to see?
Learning Newbie is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 02-27-2007, 10:59 PM Re: Can js hash or encrypt data
willcode4beer's Avatar
Super Moderator

Posts: 1,533
Name: Paul Davis
Location: San Francisco
Trades: 1
Talkupation: willcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant futurewillcode4beer has a brilliant future
Quote:
Originally Posted by Learning Newbie View Post
I read a MSDN case study of a web system build using ASP.NET, and I have to say I'm appalled. I'm also not an expert in javascript, I've learned what I need to get by, and I'm using the solution Microsoft seems to recommend.

My login page has two asp.net textbox server controls, one for username and another for password, and when the login button is clicked, these are sent, plaintext, to the server. Then the server calculates an MD5 hash for the password and compares this against the database to see whether the user has entered the correct word or phrase.

Now for a tiny little site like mine with zero IBLs that's fine. But it's not a solution. Surely, you must be able to do the hashing on the client side before sending it out over the network for any hacker with a sniffing tool to see?
For what you have described, what would be the diff of sniffing and resending the hashed vs plaintext password?
Answer, nothing.
Use TLS/SSL, read https
OTOH, there are some libraries to perform encruption on the client. Notably dojo.
willcode4beer is offline
Reply With Quote
View Public Profile
 
Old 03-01-2007, 05:05 PM Re: Can js hash or encrypt data
Junior Talker

Posts: 2
Trades: 0
Talkupation: webdev is on a distinguished road
Dear Newbie,

Consider this: if you send a hash over the network and the server uses the hash (not the actual password, which wasn't sent) to authenticate the user, if someone intercepts this hash, they'll be able to impersonate the user just the same. The only difference is that the interceptor won't know the actual password, but they won't *need* the actual password to impersonate the user.

As our colleague Mr ForBeer has pointed out, the solution is to send all sensitive data over SSL (https protocol).

If for whatever reason you still want a hashing function in JavaScript, feel free to use the SHA1 functions in the attached file.

Cheers!
Attached Files
File Type: zip sha1.zip (2.2 KB, 1 views)
webdev is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to Can js hash or encrypt data
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > JavaScript Forum > Can js hash or encrypt data

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.31387 seconds with 13 queries