https://bugzilla.wikimedia.org/show_bug.cgi?id=20187
Summary: Encrypted login with JavaScript to reduce password-
sniffing risk for HTTP sites
Product: MediaWiki
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: User login/settings
AssignedTo: [email protected]
ReportedBy: [email protected]
We've done the occasional experiment based on using client-side hashing of the
password, but implementing it means you have to be very careful about how you
implement your password hashing and internal salting.
Greg Maxwell pointed out this cute little JavaScript RSA library:
http://www.ohdave.com/rsa/
Using something like this would allow for submitting the password encrypted
using a public key from the server; while this would not protect against any
sort of active attack, it would prevent local network traffic sniffing from
seeing plaintext passwords.
(Note that while an HMAC could help protect against replay, but you're still
stuck with session hijacking.)
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
