[whatwg] whatwg Digest, Vol 82, Issue 17 from Seth Brown on 2011-01-06 (public-whatwg-archive@w3.org from January 2011)

From: Seth Brown <learc83@gmail.com>
Date: Wed, 5 Jan 2011 22:10:34 -0500
Message-ID: <AANLkTimBLAYhtLvvE4aqn3ym2u9LCnvzftt+1esikh_9@mail.gmail.com>

The hash thing wasn't my idea in the first place, and now that you
bring up the point about hashes not guaranteeing sameness it's
probably not wortj implementing.

However, the hash idead wasn't intended to replace other security. It
was merely a way to try to get around the possibility of a site that
you granted device access to being compromised (through XSS or other
means) even if you are communicating through HTTPS.

I guess there really isn't a great way to verify that a site hasn't
been compromised. Other than trusting that they have done sufficient
security auditing to prevent XSS and other attacks.

> Date: Wed, 05 Jan 2011 17:29:10 +0100
> From: Roger H?gensen <rescator at emsai.net>
> To: whatwg at lists.whatwg.org
> Subject: Re: [whatwg] whatwg Digest, Vol 82, Issue 10
> Message-ID: <4D249C56.20801 at emsai.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> A hash (any hash in fact, even "secure" ones) can only guarantee that
> two pieces of data are different!
> A hash can NEVER guarantee that two pieces of data are the same, this is
> impossible.
> A hash can only be used to make a quick assumption that the data
> probably are the same,
> thus avoiding expensive byte by byte comparison in cases where the
> hashes differ.
> If the hashes are the same then only a byte by byte comparison can
> guarantee the data are the same.
> Any cryptography expert worth their salt will agree to the statements above.
>
> HTTPS which is continually evolving is a much better solution than just
> relying on hashes and plain http,
> I cringe each time I see a "secure" script that is delivered over http
> which purpose is to encrypt the password you enter and send it to the
> website.
> HTTP authentication however isn't so bad if only the damn plaintext
> "basic" support was fully deprecated AND disallowed,
> then again now that you can get domain certificates for free that are
> supported by the major browsers HTTP Authentication is kinda being
> overshadowed by HTTPS, which is fine I guess.
>
> Just please don't "slap a hash on it" and think it's safe, that's all
> I'm saying really.
>
>
> --
> Roger "Rescator" H?gensen.
> Freelancer - http://www.EmSai.net/

Received on Wednesday, 5 January 2011 19:10:34 UTC