plain password sent over the net ?

Tjipto
Posts: 4
Joined: Fri Jun 14, 2002 4:08 pm
Location: Indonesia
Contact:

plain password sent over the net ?

Postby Tjipto » Tue Jul 30, 2002 9:42 pm

why you don't hidden your webmail password from client side with md5 method (javascript code).
with md5 hashing can make your mail more secure ! :idea:


best regards

Adam_S
Posts: 10
Joined: Mon Jun 17, 2002 1:06 am
Location: Bristol, United Kingdom

Postby Adam_S » Wed Jul 31, 2002 12:48 am

One problem in doing that is that if the client has switched off javascript, or if they are accessing their webmail from a network which javascript is not enabled then they will not be able to use the service.

I suppose it could test if javascript is enabled and as such send encrypted where possible, BUT when the MD5 hashed password was sent, there is nothing to stop someone from sniffing this and authenticating into the system with this instead.

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Postby MailEnable » Wed Jul 31, 2002 4:06 am

We actually implemented MD5 hash first up, but we removed it because it was a nightmare to manage the scripting accross different browsers.

Instead we opted to use SSL as this would allow the entire session to be encrypted (including when people change their passwords etc).
Only problem is cost of the offloader/CPU hit and the fact that the SSL cert is almost the same cost as ME Pro itself - so now MD5 is back on the table (along with some token based authentication mechanisms).

Cheers,

Dave
Regards, Andrew

jmw
Posts: 4
Joined: Wed Jul 31, 2002 3:58 am
Location: Toledo, OH
Contact:

continued support?

Postby jmw » Wed Jul 31, 2002 5:01 am

Will you continue to support https/ssl in addition to the new methods?

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Postby MailEnable » Wed Jul 31, 2002 5:14 am

Absolutely - it is just an add-on (2 additional web pages from memory). HTTPS works fine for me (and most financial institutions!) :-)
Regards, Andrew

Tjipto
Posts: 4
Joined: Fri Jun 14, 2002 4:08 pm
Location: Indonesia
Contact:

Sniff... sniff.... getout :-)

Postby Tjipto » Thu Aug 01, 2002 5:09 pm

you can make your pass more secure from sniff with adding your random number and keep it in server session. In client browser pass + random number passing to the net with encrypt first with md5.
In server you can compare encrypted md5 from client with encrypt original pass in database + random number where saved in last server session.

you wil have random encrypt password passing to the net.
Because in my country is very expensive to buy ssl certificate for small ofice :-( this method very-very usefull :-)

Best regards

mikec

affordable SSL

Postby mikec » Wed Aug 28, 2002 1:57 am

www.instantSSL.com offers certs for very reasonable fees... I have used this service and found no problem with installation.

Who is online

Users browsing this forum: No registered users and 32 guests