Before the password will be sent to the server, it could be crypted in md5 via javascript. that is what Typo3 is doing. Only if this is more secure
Feature Requests for CMSMS 2 Core
-
SimonSchaufi
Feature Requests for CMSMS 2 Core
Login:
Before the password will be sent to the server, it could be crypted in md5 via javascript. that is what Typo3 is doing. Only if this is more secure
Before the password will be sent to the server, it could be crypted in md5 via javascript. that is what Typo3 is doing. Only if this is more secure
Last edited by SimonSchaufi on Thu Aug 16, 2007 9:26 am, edited 1 time in total.
Re: Future Requests for CMSMS 2 Core
I cant really see the benefit..
you can still sniff the md5 sum and use that.
you can still sniff the md5 sum and use that.
-
Pierre M.
Re: Future Requests for CMSMS 2 Core
What about a Javascript key logger ? It could sniff clear text passwords and post them on the web, newsgroups, IRC...
Have fun
Pierre M.
Have fun
Pierre M.
-
Pierre M.
Re: Future Requests for CMSMS 2 Core
Hello again,
As I'm no security expert, I don't know for sure if your idea is good or not. I welcome your intention to secure the communication.
But as I guess from tsw's post, if you care about sniffing, MD5 isn't enough a win because it doesn't solve sniffing as SSL does. There are people building MD5 dictionnaries to revert hash obfuscation.
Obfuscation is good but attackers know it is not security.
Pierre M.
As I'm no security expert, I don't know for sure if your idea is good or not. I welcome your intention to secure the communication.
But as I guess from tsw's post, if you care about sniffing, MD5 isn't enough a win because it doesn't solve sniffing as SSL does. There are people building MD5 dictionnaries to revert hash obfuscation.
Obfuscation is good but attackers know it is not security.
Pierre M.
-
SimonSchaufi
Re: Feature Requests for CMSMS 2 Core
ok, lets close this topic and start a new topic here in this thread or shall i create a new one?
a very big future request would be to check the user input in some fields like the UDT name (no "-" inside), creating a new user -> correct email address (pregmatch) and so on. there is no checking at all!
Another very important request is this: If a user can create new pages, but has no right to edit all pages, he shall only create new pages UNDER the page where he has access to and not to the root. At the moment after he creates a page it is in the main menu and he has no access to edit the main menu.
a very big future request would be to check the user input in some fields like the UDT name (no "-" inside), creating a new user -> correct email address (pregmatch) and so on. there is no checking at all!
Another very important request is this: If a user can create new pages, but has no right to edit all pages, he shall only create new pages UNDER the page where he has access to and not to the root. At the moment after he creates a page it is in the main menu and he has no access to edit the main menu.
Last edited by SimonSchaufi on Thu Aug 16, 2007 9:27 am, edited 1 time in total.
