FAQ Topic - How can I prevent access to a web page by using javascript? (2010-05-09)
in [JavaScript]
|
Prev: THE LAST ONLINE CASINO SECURITY LINE
Next: FAQ Topic - How can I prevent access to a web page by using javascript?(2010-05-09)
From: Bwig Zomberi on 13 May 2010 07:52 Johannes Baagoe wrote: > Bwig Zomberi : > > >> A neat solution.>:) > > Dr Stockton's idea, actually. I hadn't thought of it before. I am not > sure it is useful, either... >> For adequate logging, you might add that a XHR is made to the server >> after successful decryption. > > Quite. It is only a proof of concept, and if it is ever to serve > a useful purpose, there is a lot to add and to tidy. > > But it refutes the categorical statement of the FAQ. So, the FAQ should say that while it is possible to do it on the client-side (browser), it is not the recommended way. The web application should be in control. Server-side code should authenticate access. Sending encrypted content to unauthorised users would make the content susceptible to brute-force and weakness attacks. -- Bwig Zomberi
From: Johannes Baagoe on 13 May 2010 08:40 Bwig Zomberi : > So, the FAQ should say that while it is possible to do it on > the client-side (browser), it is not the recommended way. The web > application should be in control. Server-side code should authenticate > access. Sending encrypted content to unauthorised users would make > the content susceptible to brute-force and weakness attacks. I am not prepared to say anything that general. For a few pages only meant for friends and family, this kind of solution could well be the most convenient way to ensure privacy. It does not require root access to the server, nor .htaccess files or similar, nor any particular application. It could be made quite easy to implement by anyone with minimal skills, the kind of thing anyone can do on his homepage. And *if* the crypto part is good (I haven't checked it intensively) and the passwords strong, it should be quite safe. On the other hand, if the secrets are really important, nothing can possibly replace competent professional advice and some rather annoying procedures. Real security is a global culture, not a mere technology. Life is much easier if one can avoid it, but if one cannot, there is no easy solution, whether server-side or client-side or both. Frankly, I don't know. I could probably say more if I had a better view of what, exactly, the supposed poster of the Frequently Asked Question has in mind. Given the vague and general nature of the question, I cannot say if he should be warned not to try, or whether a solution can be proposed, with the appropriate caveats. -- Johannes
From: Ry Nohryb on 13 May 2010 11:22 On May 13, 12:52 pm, Johannes Baagoe <baa...(a)baagoe.com> wrote: > Ry Nohryb : > > >Johannes Baagoe : > >> Maybe an hour or two will be enough, if it is acknowledged that > >> the security seems to be adequate after all :) > > $1k? :-D > > No, no, that is VK, and it is $10k :) (Maybe, when he started on > Shannon's Clairvoyant being used by professional cryptographers, > I should have mentioned that I happen to have been one, with an > "Autorisation administrative d'usage, de détention et de fourniture > d'armes de guerre de deuxième catégorie" to prove it.) > > > I'd like to try a brute force attack with a bookmarklet and > > webworkers, but, for that, could you please add there if you don't > > mind, in that same page, another "secret" that uses a short pwd > > (say 3 or 4 chars no more) that only contains a..z, A..Z and > > 0..9 ? It's just an experiment... > > OK, done. 4 chars. Coov,***** This, I agree, is no real security :) :-)) (function (v) { function newVector (v, baseChars) { v.__proto__= { baseChars: baseChars, base: baseChars.length, getKey: function () { var key= ""; var i= this.length; while (i--) { key= this.baseChars[this[i]]+ key; } return key; }, inc: function () { var i= 0, resto; do { if (resto= (this[i]+= 1) >= this.base) this[i]= 0; } while ((++i < this.length) && resto); return this; }, dec: function () { var i= 0, resto; do { if (resto= (this[i]-= 1) < 0) this[i]= this.base-1; } while ((++i < this.length) && resto); return this; } }; v.__proto__.__proto__= Array.prototype; return v; } var stat= document.getElementById('idStatus') || document.body.appendChild(document.createElement('pre')); var vector= newVector(v, "6WNtRvp3ThXgJIjSZxVb2m5saA4KfdCoBnHeOy7D8cz9LYlPkiMUuE1qQw0rGF".split("")); var n= 0; (function loop () { var key= vector.getKey(); var txt= AesCtr.decrypt(crypt0, key, 256); if (txt.substring(0, 5) === '*****') { alert([key, txt]); return; } if (!(++n % 100)) { stat.innerHTML= [n, "[ "+ vector+ " ]", key]; setTimeout(loop, 0); return; } vector.inc(); loop(); })(); })([0,0,0,0]); -- Jorge.
From: Johannes Baagoe on 13 May 2010 11:25 Ry Nohryb : > Coov,***** This, I agree, is no real security :) Well done ! Now, what about the real password ? Shall I post it, or does anyone want more time to try ? -- Johannes
From: Ry Nohryb on 13 May 2010 11:32
On May 13, 12:52 pm, Johannes Baagoe <baa...(a)baagoe.com> wrote: > Ry Nohryb : > > >Johannes Baagoe : > >> Maybe an hour or two will be enough, if it is acknowledged that > >> the security seems to be adequate after all :) > > $1k? :-D > > No, no, that is VK, and it is $10k :) (Maybe, when he started on > Shannon's Clairvoyant being used by professional cryptographers, > I should have mentioned that I happen to have been one, with an > "Autorisation administrative d'usage, de détention et de fourniture > d'armes de guerre de deuxième catégorie" to prove it.) > > > I'd like to try a brute force attack with a bookmarklet and > > webworkers, but, for that, could you please add there if you don't > > mind, in that same page, another "secret" that uses a short pwd > > (say 3 or 4 chars no more) that only contains a..z, A..Z and > > 0..9 ? It's just an experiment... > > OK, done. 4 chars. Coov,***** This, I agree, is no real security :) :-)) (function (v) { function newVector (v, baseChars) { v.__proto__= { baseChars: baseChars, base: baseChars.length, getKey: function () { var key= ""; var i= this.length; while (i--) key= this.baseChars[this[i]]+ key; return key; }, inc: function () { var i= 0, resto; do { if (resto= (this[i]+= 1) >= this.base) this[i]= 0; } while ((++i < this.length) && resto); return this; }, dec: function () { var i= 0, resto; do { if (resto= (this[i]-= 1) < 0) this[i]= this.base-1; } while ((++i < this.length) && resto); return this; } }; v.__proto__.__proto__= Array.prototype; return v; } var stat= document.getElementById('idStatus') || document.body.appendChild(document.createElement('pre')); var vector= newVector(v, "6WNtRvp3ThXgJIjSZxVb2m5saA4KfdCoBnHeOy7D8cz9LYlPkiMUuE1qQw0rGF".split("")); var n= 0; (function loop () { while (++n % 100) { var key= vector.getKey(); var txt= AesCtr.decrypt(crypt0, key, 256); if (txt.substring(0, 5) === '*****') return alert([key, txt]); vector.inc(); } stat.innerHTML= [n, "[ "+ vector+ " ]", key]; setTimeout(loop, 0); })(); })([0,0,0,0]); (Slightly better than the one in my previous post: no recursive calls to loop()) -- Jorge. |