Let's say I'm letting users log in over http (not https)...
I can use a challenge-response so that the passwords aren't sent as cleartext over the wire. However, this requires me to have the cleartext password stored on the server.
Or, I can hash the passwords on the server (probably with bcrypt), but this requires me to send the passwords as cleartext over the wire.
Which of these is preferable?
[web] bcrypt vs challenge
You could still encrypt the password values in the database. Provided the key isn't stored in the database, this protects the passwords from SQL injection, the most common attack that results in mass password leaks. It obviously won't help if your application is compromised too.
If your site loads over HTTP, not HTTPS, you have no guarantee (or rather the end-user has no guarantee), that some man-in-the-middle has not modified your Javascript code in the wire, and changed it to secretly send the password to their own server.
A HTTP-loaded site can't rely on its own Javascript code being delivered without malicious modifications.
Such modifications are easily achieved, for example, by the owners of a wifi access point who can route requests through a transparent proxy.
HTTPS does not JUST encrypt things. It also guards against the very real threat of man-in-the-middle attacks, and stops content being modified on the wire. There can be no real web security without this threat mitigated.
Just use HTTPS, anything else is worthless.
If you MUST use HTTP, you may as well use plaintext passwords (or encrypt them using rot13, for all the good it would do).
A HTTP-loaded site can't rely on its own Javascript code being delivered without malicious modifications.
Such modifications are easily achieved, for example, by the owners of a wifi access point who can route requests through a transparent proxy.
HTTPS does not JUST encrypt things. It also guards against the very real threat of man-in-the-middle attacks, and stops content being modified on the wire. There can be no real web security without this threat mitigated.
Just use HTTPS, anything else is worthless.
If you MUST use HTTP, you may as well use plaintext passwords (or encrypt them using rot13, for all the good it would do).
Author
Thanks for the advice. Yeah, all my research in the past day or so has led to the same conclusion: I'm switching to HTTPS. Really, all websites should....
I had been reluctant to do so as my site's security needs aren't that high (yet, at least), and I'd always felt Certificate Authorities were a bit of a racket.
My research confirmed that CAs are "mostly worthless", but it seems we're stuck with them at the moment. I also learned that you can get free basic certificates authorized from StartSSL (if your need is simply to stop the browser from freaking out innocents with scary warnings). Yes, StartSSL was hacked earlier this year, but I don't really have faith in any of the CAs, so might as well save on the cost (unless someone here knows better on the matter!).
I had been reluctant to do so as my site's security needs aren't that high (yet, at least), and I'd always felt Certificate Authorities were a bit of a racket.
My research confirmed that CAs are "mostly worthless", but it seems we're stuck with them at the moment. I also learned that you can get free basic certificates authorized from StartSSL (if your need is simply to stop the browser from freaking out innocents with scary warnings). Yes, StartSSL was hacked earlier this year, but I don't really have faith in any of the CAs, so might as well save on the cost (unless someone here knows better on the matter!).
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
