[progress Communities] [progress Openedge Abl] Forum Post: Re: Password Encryption At...

Status
Not open for further replies.
J

jankeir

Guest
I think if you can't trust the browser any attempt is futile. If the attacker has acces to the password in the dom/developer tools, why would he not have the ability to capture the password while it is being typed? It doesn't matter you encrypt it before sending if the attacker has already captured while it was being typed. If the attacker doesn't have access to the browser but somehow managed to insert a root certificate or in another way managed to create a man in the middle attack, he could easily modify the login page to take out the encryption part and do it 'in the middle' so your server doesn't notice but he still sees the password. SSL already does asymmetric cryptography, that's what it's for, if you don't trust SSL why would you trust your own algorithm (which is being passed over and only verified by SSL!) Any successful attack on SSL would be sufficient to remove whatever extra encryption you add before it is even done. Any successful attack on the browser would also be sufficient to get the password even before it is seen by your algorithm.

Continue reading...
 
Status
Not open for further replies.
Top