|
Which part of the truck analogy was too complicated? And it's rather simple to not share the salt
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: Which part of the truck analogy was too complicated?
We're not talking about Twitter, we're talking about your belief that javascript security is a good idea, and why it actually isn't.
Eddy Vluggen wrote: And it's rather simple to not share the salt
Not if you are using javascript.
|
|
|
|
|
F-ES Sitecore wrote: Not if you are using javascript. So who limits you to JavaScript on the client?
F-ES Sitecore wrote: We're not talking about Twitter Correct, we're not talking at all.
F-ES Sitecore wrote: your belief that javascript security is a good idea, and why it actually isn't. I do not believe anything. I know, or I'll verify, but belief is not my beef. I also haven't advocated JS security, you're jumping to conclusions again
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: So who limits you to JavaScript on the client?
We were talking in the context of major websites like twitter. If you're now saying that for the last 5 messages or whatever you weren't talking about js but some other as yet unidentified technology then I can't tell if you're waving or drowning.
|
|
|
|
|
F-ES Sitecore wrote: I can't tell if you're waving or drowning. Why would I care about that?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
I'm not asking you to care, I'm saying that what you're saying is so implausible and flip-flops so much I don't know if you genuinely believe what you're saying or if you know your argument is dead but you're trying to save face.
|
|
|
|
|
F-ES Sitecore wrote: I'm saying that what you're saying is so implausible and flip-flops so much I don't know if you genuinely believe what you're saying or if you know your argument is dead but you're trying to save face. That's not my problem
I also do not care how it looks, I'm not here to make a good impression. I'm here to help, voluntarily. I would also like to point out that your lack of understanding does not imply that I should try harder to school you. On the contrary, I'm going outside and have a great evening. If you want my expertise, I suggest you mail a decent offer as I do not feel inclined to share anything with you
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Any lack of understanding you think I have is a figment of your imagination, an attempt to divert attention away from the ridiculous things you have actually said on this thread such as web clients should be responsible for security. Enjoy your evening, but if this thread is an indicator of your level of expertise then don't wait by the door for that offer.
|
|
|
|
|
F-ES Sitecore wrote: Any lack of understanding you think I have is a figment of your imagination, It may just be that you are incapable of reading of course
F-ES Sitecore wrote: an attempt to divert attention away from the ridiculous things you have actually said on this thread such as web clients should be responsible for security. I will never point to a single item and make it responsible for security.
F-ES Sitecore wrote: Enjoy your evening, but if this thread is an indicator of your level of expertise then don't wait by the door for that offer. Thank you, I will - there's chicken tonight
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: It may just be that you are incapable of reading of course
The only opinion I've really offered has been to state that HTTPS protects the password in transport, everything else I've said has been trying to pin you down on your belief that the client should also be involved in security by encrypting or (as you later changed to) hashing with salt, and why you think those things are good ideas. You subsequently abandoned this to hint at some un-named technology should be used instead.
Eddy Vluggen wrote: I will never point to a single item and make it responsible for security.
I didn't say "solely responsible", but you said the client should encrypt\hash before transmitting ergo should be responsible. If you want to focus on the interpretation of words rather than your actual arguments then I guess you can't have a lot of faith in them.
|
|
|
|
|
F-ES Sitecore wrote: The only opinion I've really offered has been to state that HTTPS protects the password in transport As the article explained, this one was leaked outside of transport. I gave you a VERY easy example to explain that.
F-ES Sitecore wrote: on your belief that the client should also be involved in security by encrypting or (as you later changed to) hashing with salt I do not "believe", and despite your misquoting I did not go from encrypting to hashing. I also did not abandon any view.
F-ES Sitecore wrote: you said the client should encrypt\hash before transmitting ergo should be responsible. That's a non-sequitur, quod Eddy demonstrandum.
F-ES Sitecore wrote: If you want to focus on the interpretation of words rather than your actual arguments then I guess you can't have a lot of faith in them. You are focussing on pinning me; I'm focussing on whacking you and having fun. It is never going to be a productive "discussion", hence the suggestion to end it.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: As the article explained, this one was leaked outside of transport
Why does that invalidate what I said?
Eddy Vluggen wrote: I do not "believe", and despite your misquoting I did not go from encrypting to hashing. I also did not abandon any view
V asked "shouldn't passwords be encrypted even before they are sent to the server".
You responded "I'd go for "both""
That suggests to me that you think the client should be involved in security? You then went on to defend the process of hashing with salt via js rather than saying "Oh, no, that's not what I meant" so that confirms that is what you believe. You then abandoned the js angle entirely by saying that it isn't the only technology you can use on the client, implying that perhaps you didn't mean js after all?
Are you aware that everything you have written is available for anyone to go back and look at?
|
|
|
|
|
F-ES Sitecore wrote:
Are you aware that everything you have written is available for anyone to go back and look at? Yes, that's why I keep it going
You not amused?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
If I was clearly as wrong as you are and as equally determined not to admit it, I'd try and divert away from the actual issues too. When caught out I might even say I was just trolling, I hear that's popular with the kids today too.
|
|
|
|
|
|
"Mirroring is the subconscious replication of another person's nonverbal signals"
Clutching at straws much?
Eddy Vluggen wrote: I have no need to troll
You a mere few posts ago;
"I'm focussing on whacking you and having fun"
Can I just ask again, you are aware that everyone can go back and verify what you're written?
|
|
|
|
|
F-ES Sitecore wrote: Can I just ask again, you are aware that everyone can go back and verify what you're written? Yes; banking on it
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: Yes; banking on it
Ditto. Everyone can see you're using the excuse of trolling when being called out giving bad advice and failing to be able to back it up.
|
|
|
|
|
You really having trouble reading
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
And you have trouble justifying your technical advice.
So let's sum up, again
You think javascript should be involved in encrypting passwords before sending them to servers despite the fact that this gives away any keys and algorithms used in the encryption. You then said that they should hash them with salt, despite the fact that would expose the salt. Failing to explain why neither of these issues are of concern you then attempted to say that the client technology doesn't have to be javascript but something else that you didn't elaborate on. Rather than explain yourself we've had you backpedaling, employing a range of fallacious arguments, implying you're just trolling and so on, all to (and this is how it appears to me) drag the discussion away from your original advice because you can't back it up and you're unwilling to simply admit that you were wrong.
|
|
|
|
|
V. wrote: shouldn't passwords be encrypted even before they are sent to the server?
That's not really possible, https is there to protect the data in transit so that it's never exposed in plain text.
|
|
|
|
|
..as does Twitter. SSL is for transport, and as you can read in the article; once received, it enters the system. It was logged in plaintext.
So, no, having SSL does not mean that it is "never" exposed. If you are saying it is not possible for others to get the password due to SSL, then again, Twitter shared this message (and took a hit in the value of their stocks!) because the password was visible in plain-text to the employers of Twitter.
TL;DR - yer wrong.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
I said HTTPS means it isn't exposed in transit. The fact that you implied I meant HTTPS means the data can never ever be exposed no matter what you with that data after you receive it is just a straw-man argument.
TL;DR - yer a troll
|
|
|
|
|
In this case enough strawman argument to warrant a password-change.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Your argument was a straw-man one because you misrepresented what *I* said, twitter is irrelevant. If you have no counter to my rebuttal against your misrepresentation of what I said then I'll take that as an admission.
|
|
|
|