FAQ Topic - How can I prevent access to a web page by using javascript? (2010-05-09)
in [JavaScript]
|
Prev: THE LAST ONLINE CASINO SECURITY LINE
Next: FAQ Topic - How can I prevent access to a web page by using javascript?(2010-05-09)
From: Johannes Baagoe on 13 May 2010 06:17 Ry Nohryb : >Bwig Zomberi : >> Sending the password (encrypted or otherwise) to the client is simply a >> wrong approach to security. > The pwd never ever travels through the net, it's entered by the user of > the page, and never ever leaves the client, it's just used to decrypt > the payload and then can be destroyed. On the other hand, if the client is the human being who pays for the service, I fail to see why sending her the password via gpg poses a great security risk. -- Johannes
From: Ry Nohryb on 13 May 2010 06:25 On May 13, 12:03 pm, Johannes Baagoe <baa...(a)baagoe.com> wrote: > Ry Nohryb : > > > Johannes Baagoe : > >> Garrett Smith : > >>> I am wide open for suggestions on this entry. Neither the question > >>> nor the answer are clear. Perhaps: > >>> | FAQ Topic - How can I prevent access to resources in the browser? | > >>> | You can't. Scripts that attempt to password protect resources do > >>> not | provide any real security. > >>> | > >>> | Access to resources can be restricted by requiring authentication > >>> on | the server. > >> I have to disagree. It is quite possible to encrypt the body element of > >> a web page using, e.g., AES, (...) > > For Smith the FAQ guardian the probability of (to read && !to > > comprehend) is almost 1. > > I have to disagree with that too. You'll end up agreeing. > Anyway, here is a quick and dirty proof of concept :http://baagoe.com/en/ES/encrypted.html > > I shall leave the group enough time to attempt to prove that it does > not "provide any real security", and then publish the password. > > > Maybe next year. > > Maybe an hour or two will be enough, if it is acknowledged that the > security seems to be adequate after all :) $1k? :-D I'd like to try a brute force attack with a bookmarklet and webworkers, but, for that, could you please add there if you don't mind, in that same page, another "secret" that uses a short pwd (say 3 or 4 chars no more) that only contains a..z, A..Z and 0..9 ? It's just an experiment... -- Jorge.
From: Bwig Zomberi on 13 May 2010 06:47 Johannes Baagoe wrote: > Ry Nohryb : >> Bwig Zomberi : > >>> Sending the password (encrypted or otherwise) to the client is simply a >>> wrong approach to security. > >> The pwd never ever travels through the net, it's entered by the user of >> the page, and never ever leaves the client, it's just used to decrypt >> the payload and then can be destroyed. > > On the other hand, if the client is the human being who pays for the > service, I fail to see why sending her the password via gpg poses > a great security risk. > By "the encrypted value either in an Array of Numbers or as a base64-encoded String" I thought you meant the password. I realize you are suggesting key-pair technology, which means the password need not be stored with the encrypted container. A neat solution. >:) For adequate logging, you might add that a XHR is made to the server after successful decryption. -- Bwig Zomberi
From: Johannes Baagoe on 13 May 2010 06:52 Ry Nohryb : >Johannes Baagoe : >> Maybe an hour or two will be enough, if it is acknowledged that >> the security seems to be adequate after all :) > $1k? :-D No, no, that is VK, and it is $10k :) (Maybe, when he started on Shannon's Clairvoyant being used by professional cryptographers, I should have mentioned that I happen to have been one, with an "Autorisation administrative d'usage, de détention et de fourniture d'armes de guerre de deuxième catégorie" to prove it.) > I'd like to try a brute force attack with a bookmarklet and > webworkers, but, for that, could you please add there if you don't > mind, in that same page, another "secret" that uses a short pwd > (say 3 or 4 chars no more) that only contains a..z, A..Z and > 0..9 ? It's just an experiment... OK, done. 4 chars. -- Johannes
From: Johannes Baagoe on 13 May 2010 07:11
Bwig Zomberi : > By "the encrypted value either in an Array of Numbers or as a > base64-encoded String" I thought you meant the password. Goodness! I wouldn't even dream of that... > I realize you are suggesting key-pair technology, If you mean public-key, it is simpler than that, just a shared keyword for an old-fashioned symmetrical block cipher. The keyword has to be transmitted by another, secure channel. > which means the password need not be stored with the encrypted container. > A neat solution. >:) Dr Stockton's idea, actually. I hadn't thought of it before. I am not sure it is useful, either... > For adequate logging, you might add that a XHR is made to the server > after successful decryption. Quite. It is only a proof of concept, and if it is ever to serve a useful purpose, there is a lot to add and to tidy. But it refutes the categorical statement of the FAQ. -- Johannes |