javascript question (in order to secure my web)

You can talk about almost anything that you want to on this board.

Moderator: Moderators

Post Reply
lord

javascript question (in order to secure my web)

Post by lord »

javascript question (in order to secure my web)... :D

i have a web page.. with a system of users and passwords to admin the system. i dont have HTTPS.. then passwords and users going to plain text to server.. In order to increase security, im using a implementations of any security hash algorithms.. Yeah, all good no???.. but when user browse my web page, he go to file.. save page as.. and user actually can download web page.. but downloading my web, javascripts are downloading too!! with description of my secure algorithms.. a problem of security...

How can i stop downloading this page or stop downloading javascripts???
User avatar
tokumaru
Posts: 12427
Joined: Sat Feb 12, 2005 9:43 pm
Location: Rio de Janeiro - Brazil

Post by tokumaru »

You're using javascript to secure your page? That will never be actually safe. Search the web for "HTML compression". There are some tools that will compress your pages, resulting in something unreadable for humans. The page will then be decompressed after it's transfered to the client, through javascript.

This will make your code/logic pretty much unreadable, but someone with time in their hands will still be able to decode the stuff, as the decoding routine will have to be there somewhere.

There are ways to mangle your code, and using HTML compresion is one of them. Look for it, I'm sure there are some freeware utilities for that.
User avatar
Quietust
Posts: 1918
Joined: Sun Sep 19, 2004 10:59 pm
Contact:

Post by Quietust »

Security through obscurity is not a particularly good solution, as it tends to fall apart once somebody looks at it more closely. Even if you encrypt your passwords using Javascript before sending them across the wire, somebody could just as easily sniff the encrypted password and send it right back down again, unless you use a special authentication script with multiple handshakes to prevent a 'replay attack'.

If you cannot use HTTPS, then my recommendation is to just tell people to use different passwords from what they use for secure stuff. Even so, look at these forums - they don't use HTTPS or javascript to encrypt your password when you login, and it's generally not a problem unless somebody else on your LAN is sniffing traffic.
Quietust, QMT Productions
P.S. If you don't get this note, let me know and I'll write you another.
Post Reply