#57173
01/30/2004 6:47 AM
|
Joined: Mar 2002
Posts: 64
Member
|
Member
Joined: Mar 2002
Posts: 64 |
Hi, when a user login, the input type="text" get the password and send it thru POST, so the password is not viewable in the URl, but if a person use a sniffer can grab the password...what about using a MD5 client side javascript (like vbulletin does http://www.vbulletin.com/forum/clientscript/vbulletin_md5.js )?
|
|
|
#57174
01/30/2004 1:56 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
If you're parinoid enough to worry about sniffing, then you should be using SSL to protect your entire site.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#57175
01/30/2004 6:43 PM
|
Joined: Jan 2000
Posts: 5,833 Likes: 20
UBBDev / UBBWiki Owner Time Lord
|
UBBDev / UBBWiki Owner Time Lord
Joined: Jan 2000
Posts: 5,833 Likes: 20 |
Haha agreed; anyone can sniff messages; heck till recently AIM could be sniffed, it still can for those users don't want to spend $15 a year for an SSL cert for AIM :x...
|
|
|
#57176
02/02/2004 8:00 AM
|
Joined: Mar 2002
Posts: 64
Member
|
Member
Joined: Mar 2002
Posts: 64 |
when a user come back to the forum, the md5 hash is taken from the cookie, right? and then the ubb script have to hash the plain text password contained in the user file and compare, right? or the md5 hash is already written in the user file too?
|
|
|
#57177
02/02/2004 10:57 AM
|
Joined: Nov 2001
Posts: 745
Admin Emeritus
|
Admin Emeritus
Joined: Nov 2001
Posts: 745 |
Right now, the plain text password is hashed and compared to the cookie. I would wager that eventually, there will be md5 server side also ( mentioned here ).
|
|
|
#57178
02/03/2004 4:15 AM
|
Joined: Mar 2002
Posts: 64
Member
|
Member
Joined: Mar 2002
Posts: 64 |
CC wrote: Sure, why not?
cp2_editprofile.pl... find the line reading:
# Password viewing removed entirely per 6/13 meeting
Uncomment the next 7 lines or so. There's your viewable password.
Unfortunately, that will break entirely when we switch to encrypted passwords in the future.... you'll see something akin to "__MD5:abcdef1234567890abcdef1234567890" instead of the password you were expecting.
so in the future all the password will be in md5?
I think this is a good idea..every time ubb request a cookie has to calculate an md5 hash...
comparing the md5 hash (created with a javascript by the client) and the md5 hash stored in the user profile should be better for ubb performance...
|
|
|
#57179
02/03/2004 4:25 AM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
Actually, when the switch occurs, the method of storing the authentication token will also change, which will still require some MD5 calculations. Sorry to disappoint.
UBB.classic: Love it or hate it, it was mine.
|
|
|
#57180
02/03/2004 5:19 AM
|
Joined: Jan 2000
Posts: 5,833 Likes: 20
UBBDev / UBBWiki Owner Time Lord
|
UBBDev / UBBWiki Owner Time Lord
Joined: Jan 2000
Posts: 5,833 Likes: 20 |
Well, when can we expect this? UBB 6.9? I say that since, from what I hear, 6.8 will be mainly coding fixes and rewrites.
|
|
|
#57181
02/03/2004 10:26 AM
|
Joined: Mar 2002
Posts: 64
Member
|
Member
Joined: Mar 2002
Posts: 64 |
Originally posted by Gizzy:
6.8 will be mainly coding fixes and rewrites.
I hope not...
|
|
|
#57182
02/03/2004 10:29 AM
|
Joined: Jan 2003
Posts: 3,456 Likes: 2
Master Hacker
|
Master Hacker
Joined: Jan 2003
Posts: 3,456 Likes: 2 |
Gizzy, where did you hear this? The only thing I've heard from CC is that he can't tell us anything
|
|
|
#57183
02/03/2004 10:40 AM
|
Joined: Nov 2001
Posts: 745
Admin Emeritus
|
Admin Emeritus
Joined: Nov 2001
Posts: 745 |
I don't recall hearing any announcements about what 6.8 will entail yet
|
|
|
#57184
02/03/2004 11:22 AM
|
Joined: Jan 2000
Posts: 5,833 Likes: 20
UBBDev / UBBWiki Owner Time Lord
|
UBBDev / UBBWiki Owner Time Lord
Joined: Jan 2000
Posts: 5,833 Likes: 20 |
/me whistles and walks away innocently
|
|
|
#57185
02/03/2004 2:10 PM
|
Joined: Oct 2000
Posts: 2,667
Veteran
|
Veteran
Joined: Oct 2000
Posts: 2,667 |
Originally posted by Gizzy:
/me whistles and walks away innocently
you better run fast before cc catches you or he will lock you down in PHP hell
Do you believe in love at first sight, or should I walk by again?
|
|
|
#57186
02/03/2004 2:24 PM
|
Joined: Jan 2000
Posts: 5,073
Admin Emeritus
|
Admin Emeritus
Joined: Jan 2000
Posts: 5,073 |
*rains down 40-character-long PHP functions upon Gizzy*
UBB.classic: Love it or hate it, it was mine.
|
|
|
#57187
02/03/2004 3:40 PM
|
Joined: Nov 2001
Posts: 745
Admin Emeritus
|
Admin Emeritus
Joined: Nov 2001
Posts: 745 |
There's nothing wrong with PHP. You just have to have the proper level of insanity to use it
|
|
|
#57188
02/03/2004 8:23 PM
|
Joined: Jan 2000
Posts: 5,833 Likes: 20
UBBDev / UBBWiki Owner Time Lord
|
UBBDev / UBBWiki Owner Time Lord
Joined: Jan 2000
Posts: 5,833 Likes: 20 |
/me is in PHP hell; send help... I use PHP, should show you that I'm indeed insane ...
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 87
Joined: December 2001
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|