Last modified: 2013-06-18 16:44:18 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T22187, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 20187 - Encrypted login with JavaScript to reduce password-sniffing risk for HTTP sites
Encrypted login with JavaScript to reduce password-sniffing risk for HTTP sites
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Low enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 9816
  Show dependency treegraph
 
Reported: 2009-08-11 23:04 UTC by Brion Vibber
Modified: 2013-06-18 16:44 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2009-08-11 23:04:35 UTC 
We've done the occasional experiment based on using client-side hashing of the password, but implementing it means you have to be very careful about how you implement your password hashing and internal salting.

Greg Maxwell pointed out this cute little JavaScript RSA library: http://www.ohdave.com/rsa/

Using something like this would allow for submitting the password encrypted using a public key from the server; while this would not protect against any sort of active attack, it would prevent local network traffic sniffing from seeing plaintext passwords.

(Note that while an HMAC could help protect against replay, but you're still stuck with session hijacking.)
Comment 1 Brion Vibber 2011-10-31 22:28:21 UTC 
I'm just gonna WONTFIX this out; while it's plausible to protect against password sniffing, nobody seems willing to commit to it, and we've been pushing more SSL stuff which of course does a far better job of protecting your session.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links