1

Topic: Security of Pun's authentification

Hello, everybody!
Pun's authentification based on cookies is safe, isn't it?
May be someone thinking about it? May be someone remake it?
What do you know about ways to "go through" it?
How can i improve this  authentification?

Re: Security of Pun's authentification

its as safe as possible, afaik no one is rewriting it or intending too, if i knew a way through it i wouldn't tell you tongue, you probably can't (much)

3

Re: Security of Pun's authentification

Connorhd
Simply, we decided to greatly improve it .....so  I ask You ....is it really needed to improve it?...what can we improve and how smile

Re: Security of Pun's authentification

spec wrote:

Connorhd
Simply, we decided to greatly improve it .....so  I ask You ....is it really needed to improve it?...what can we improve and how smile

You decided to improve it, so you want to know how? wink
I think you might have the steps backwards, you should have an idea in mind before deciding to do something tongue

Re: Security of Pun's authentification

We could always use javascript for MD5ing passwords before they're sent. Of course, this requires around 6k more javascript, but it's quite effective.

Re: Security of Pun's authentification

and no one without javascript can login?

Re: Security of Pun's authentification

No, have a field that if javascript is enabled, change so that the PHP knows whether to use it or not.

8

Re: Security of Pun's authentification

Can you point at least one site, using javascripted md5?
All mail servers i know using simple POST password.

Re: Security of Pun's authentification

Dexus wrote:

Can you point at least one site, using javascripted md5?
All mail servers i know using simple POST password.

vBulletin 3.0

Re: Security of Pun's authentification

And for all the other skeptics as well: http://pajhome.org.uk/crypt/md5/

(I can't believe how many people freak out over a simple, easy, and effective solution.)

11

Re: Security of Pun's authentification

Just sending over the md5 is bad, you should use a MD5 challenge handshake system.  I had written an implementation in JS a while back.  I'm pretty sure Yahoo mail uses this method also.  If you need some help w/ this email me.

Re: Security of Pun's authentification

slow down a second...

your trying to fix something that isn't broken

13 (edited by Bwongar.com 2005-04-06 18:09)

Re: Security of Pun's authentification

Connor, it's not a fix. It's just an idea. Or possibly a feature.

Just because someone suggests something doesn't mean it's fixing something. It's a request to improve the current design. Don't take it personally.

EDIT: I'd love to hear Rickard's opinion. After all, it's his software smile

Re: Security of Pun's authentification

rajivm wrote:

Just sending over the md5 is bad, you should use a MD5 challenge handshake system.  I had written an implementation in JS a while back.  I'm pretty sure Yahoo mail uses this method also.  If you need some help w/ this email me.

I think I saw something like this on the PHP site. However I don't see how sending an MD5 is worse than sending a clear-text password. smile

Re: Security of Pun's authentification

With a challenge handshake there is more involt than only a MD5. So in theory it is saver then just clear text passwd.

But why this discussion ???. So far the bugs that rise to the surface are sql-injection aan XSS related. So far the protection scheme is working like it should ??

But then again I haven't really reviewed the authentication code yet.

Re: Security of Pun's authentification

Orpheus wrote:

But why this discussion ???

The question was raised 'How can we make this more secure?' so I just put in my two cents.

Re: Security of Pun's authentification

Bwongar.com wrote:
Orpheus wrote:

But why this discussion ???

The question was raised 'How can we make this more secure?' so I just put in my two cents.

I didn't mean you with it. It was more a question for the topicstarter.

Your handshake idea sounds good. But it relies on Javascript which is not allways enabled and support can vary by  browser.

If the TS wants better protection then first make sure your using SHA1 instead of MD5 if not allready.

Re: Security of Pun's authentification

SHA1 is broken

Re: Security of Pun's authentification

Bwongar.com wrote:

SHA1 is broken

thx for the url . good to know. Well im off changing the protection schemes big_smile

Re: Security of Pun's authentification

Yeah, I had been looking into converting all my stuff to SHA1 when I found that link. I know MD5 is nearing it's end-days but it's still better than SHA1! smile

BTW, upgrade your FreeBSD box! tongue

21

Re: Security of Pun's authentification

What do you think about  to make over Pun's authentification  on  sessions ?

Re: Security of Pun's authentification

from what i understand, firstly rickard (i think) posted http://www.schneier.com/blog/archives/2 … roken.html ages ago and also, it doesn't make SHA1 useless they can just crack it slightly more easily, and its still more effective than md5

23 (edited by Bwongar.com 2005-04-06 19:45)

Re: Security of Pun's authentification

Connorhd wrote:

it doesn't make SHA1 useless they can just crack it slightly more easily, and its still more effective than md5

What? That doesn't make sense to me. It's easier to crack... but more effective.

EDIT: Oh, and sorry about posting something that has been posted before. roll

24

Re: Security of Pun's authentification

Connorhd , Bwongar.com
What do you think about  to make over Pun's authentification  on  sessions ?

Re: Security of Pun's authentification

Orpheus made a good point. Spending time auditing the code for possible SQL injections and cross-site scripting vulnerabilities is much higher on my list of things to do. I'm not saying I'm not open to improvements in the authentication procedure, but it's hardly PunBB's weak spot.

"Programming is like sex: one mistake and you have to support it for the rest of your life."