Re: Secure way of logging in

Sun, 01 Oct 2000 13:58:36 -0700 

--On 10/01/00 04:05:39 PM -0400 Ilia Lobsanov <[EMAIL PROTECTED]> wrote:

> Rob, you shouldn't rely on JavaScript for this. And I don't see why
> you need cookies for that.
> Just use SSL if you don't want a sniffer to intercept the password.
>
> ilia.
>

I thought about that right after I responded to the original message 
(it's amazing how insightful I get AFTER I've just pressed the send 
button).  But it really depends on what your requirements are.  The 
javascript algorythm does an excellent job, and it does the MD5 hash 
correctly at the browser.  Also, it works on any browser that does 
javascript (no secure javascript or ssl signatures, etc, required).  If 
your concern is that the script could be sniffed, the MD5 hash 
algorythm itself is widely available and security by obscurity is not a 
good security model.

As far as ssl, there are several issues.  Depending on your budget, 
even the $125 for a Thawte certificate maybe too high.  Also, on slow 
links and older machines, SSL is more expensive timewise to run.  Since 
the original poster said nothing about securing the browser response 
itself but only access to it (which is very common for commercial data 
services although I don't know what kind of data Kaare Rasmussen in 
concerned with in the original post).  Also, I understand that 
encryption is not legal in some Europen countries.  I'm not sure which 
ones and I have no idea what the rationale is, but MD5 password hashes 
might conceivably skirt that issue.

On the plus side, in the US the old RSA patent became history last 
month, either expiring on Sep 20 or valid through Sept 20.  In any 
event, it's now in the public domain and you can set up secure servers 
without an RSA licensing issue.  I don't know if there are other 
international patents on the RSA algorythm or not, so I don't know 
whether Europeans (the original post was from *.dk which is Denmark) 
are so blessed or not.

-- Rob

       _ _ _ _           _    _ _ _ _ _
      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)

  Rob Tanner
  McMinnville, Oregon
  [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to