Rene Veerman rene7...@gmail.com writes:
Recently, on both the jQuery(.com) and PHP mailinglists, a question has
arisen on how to properly secure a login form for a non-ssl web-application.
But the replies have been get ssl.. :(
I disagree, and think that with a proper layout of authentication
Stephan Neuhaus wrote:
Yes, there's a need for a crypto practices FAQ to which one can refer.
I disagree because you cannot force developers to read (and understand)
these FAQs. Instead, there is a need for APIs that are difficult to use
in an insecure way. For example, Peter Gutmann's
On Sun, 15 Feb 2009, Rene Veerman wrote:
Recently, on both the jQuery(.com) and PHP mailinglists, a question has
arisen on how to properly secure a login form for a non-ssl web-application.
But the replies have been get ssl.. :(
Unfortunately, they are right: get SSL.
If you have a
Stephan Neuhaus wrote:
Many mistakes in crypto coding come from the fact that API developers
have so far very successfully shifted the burden of secure usage to the
application developer, the API user. But I believe this hasn't worked
and needs to be changed.
I totally agree, and this is the
On Feb 14, 2009, at 12:54 PM, David Molnar wrote:
Ben Laurie wrote:
[snip discussion of bad crypto implementation practices]
Because he is steeped in the craft
knowledge around crypto. But most developers aren't. Most developers
don't even have the right mindset for secure coding, let alone
Begin forwarded message:
From: Sarad AV jtrjtrjtr2...@yahoo.com
Date: February 17, 2009 9:51:09 AM EST
To: cypherpu...@al-qaeda.net
Subject: Shamir secret sharing and information theoretic security
hi,
I was going through the wikipedia example of shamir secret sharing
which says it is
Hi,
Recently, on both the jQuery(.com) and PHP mailinglists, a question has
arisen on how to properly secure a login form for a non-ssl web-application.
But the replies have been get ssl.. :(
What makes you think these are ill-advised?
I disagree, and think that with a proper layout of
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote:
Recently, on both the jQuery(.com) and PHP mailinglists, a question
has arisen on how to properly secure a login form for a non-ssl web-
application.
What's the threat model?
users[user_id].user_login_hash = onewayHash(user_login_name +
apropos to the biometrics essay in the Jan 2009 crypto-gram:
Researchers Hack Biometric Faces
slashdot.org/palm/18/09/02/17/216216_1.shtml
from the face-off dept. posted by kdawson on 2009-02-18 01:35:00
yahoi sends in news from a week or so back: Vietnamese researchers have
cracked the
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely anyone uses them.
Can anyone explain
http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/ -- we've
talked about this attack for quite a while; someone has now implemented
it.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-
The Cryptography
On Tue, 17 Feb 2009, R.A. Hettinga wrote:
hi,
I was going through the wikipedia example of shamir secret sharing which says
it is information theoretically secure.
http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
...
The scheme is defined over a finite field *not* over the
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as
On Fri, 20 Feb 2009 02:36:17 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:
There are a variety of password cost-estimation surveys floating
around that put the cost of password resets at $100-200 per user per
year, depending on which survey you use (Gartner says so, it must be
true).
On Feb 19, 2009, at 7:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as
15 matches
Mail list logo