>>I fail to see the purpose of client-side hashing. Great question....
You pass a UUID from the server to salt your crypto on the client to prevent replay attacks. We don't always run TLS on our dev/test tiers and operate a sensitive environment in which we prefer not to broadcast passwords in the clear. The extra step makes it that much harder to get access to sensitive information. Also consider that TLS is not as secure as most people think: "If the *administrator of your computer *[or corporate network, or ISP]* cooperates*, it is possible for a proxy server to sniff https connections. This is used in some companies to in order to scan for viruses and to enforce guidelines of acceptable use. A *local certification authority* is setup and the administrator tells your browser that this *CA is trustworthy*. The proxy server uses this CA to sign his forged certificates. Oh and of course, user tend to click security warnings away." --http://security.stackexchange.com/questions/8145/does-https-prevent-man-in-the-middle-attacks-by-proxy-server -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
