Hacker News new | past | comments | ask | show | jobs | submit login

No - As mentioned in a comment elsewhere, these kinds of experiments fall dangerously into a category of duct-tape crypto.

If you want secure password transfer, do not construct a ghetto solution with stacked hashes, but use a proper protocol like SRP (which, again, is pointless unless the client is trusted).

Especially in the case of Twitter, doing this provides absolutely nothing in respect to credential confidentiality as both sites of the transaction is written by Twitter.




I don't get it. Assuming that a passivly listening attacker has broken TLS, additionally hashing at the client is helpful. The service at hand is now (most likely) insecure, but at least other services do not suffer from the plaintext password being exposed. It's an advantage, albeit small, but it's easy to do with virtually no risk of error.


Stacking hashes is not cryptographically sound. The additional hashing weakens the credentials. Cryptographic hashing is a very fragile subject.

"Assuming an attacker has broken TLS" - this makes no sense. If I had broken TLS, I could send you a login form with no hashing. I could modify your legitimate API requests, without the need for your credentials. I could take your token and forge requests as I wanted. All your assumptions go down the drain, as the security relied on the presence of TLS.

Basically, making this setup is generally harmful, while only providing negligible benefit in a doomsday scenario where all bets are off regardless.

If you truly want to have better security, you need an entirely different system. E.g., local private keys used to sign requests, or a proper password exchange/validation protocol. Smacking another hash on top does nothing good, and the idea is a good example of why normal people shouldn't crypto.


I've heard the "additional hashing weakens the credentials" line since I started programming, but no one ever bothers to link a citation, or if just reasoning simply from e.g. the pigeonhole principle seems to realize the increased likelihood of collisions is negligible for typical hash choices. It also flies in the face of common in-practice schemes (pre-bcrypt) like doing n rounds of sha256. There should be no real problem with doing the first round on the client.

I agree with you on the general pointlessness of client hashing, though, and oh what a world if we had pub-priv keys for authentication instead of passwords...


> I've heard the "additional hashing weakens the credentials" line since I started programming, but no one ever bothers to link a citation

The main issue is that security analysis is non-trivial due to the interaction of their security guarantees. The end-result is effectively a new hashing algorithm. Figuring out the properties of this new algorithm requires a new cryptoanalysis (which is more than just avalanche tests).

> It also flies in the face of common in-practice schemes (pre-bcrypt) like doing n rounds of sha256. There should be no real problem with doing the first round on the client.

Old practices are deprecated for good reason, primarily due to flaws. Looking at what we used to do it not that useful.

The main problem is that it's not just "n rounds". The hash on the client must be salted, and it must be salted uniquely for that credential set, and must use a different salt from the backend hash. Plenty of ways to mess this up, and that's before we're even consider the implementation details of salting.

Then comes the interactions between likely different hashes. All in all, it's pretty complicated.

> I agree with you on the general pointlessness of client hashing, though, and oh what a world if we had pub-priv keys for authentication instead of passwords...

Especially with the only sensible procedure being password managers, it's silly we don't have asymmetric authentication. :(


> The additional hashing weakens the credentials.

If it's true, the attacker just has to do additional hashings to crack the password.


I'd like to highlight that "passively listening" was written intentionally. As soon as an attacker becomes active, he's at an incomparably higher risk of being detected.


If TLS is broken, the world has bigger problems. And then they could simply intercept the session cookie either way.


The session cookie isn’t a potentially reused human-readable string though. The password is.


If TLS was broken, I would always be able to get your password by just removing the hashing from the login page. I'd also be able to modify all legitimate requests, and be able to obtain your genuine login tokens for any site.


That requires an active attack though. Yes, that’s always possible if TLS is broken, but it takes more work and is detectable. (Not saying it’s easy to detect, but it’s detectable in theory, where passive sniffing is not.)


If TLS is broken, you lose all message authentication, rendering tampering entirely undetectable.

Passive sniffing requires the same attack vector, and the idea of an attacker only utilizing passive attacks makes no sense.

The point is that additional hashing designed for the premise of "broken TLS" fails the thread model test: It is pointless, as the only time it is applicable is when everything is fallen apart.


TLS itself doesn't have to be broken to have an interceptor.


If your machine has TLS being intercepted nothing matters anymore. That would be the equivalent of having a keylogger installed. There's no point in trying to protect such a client anymore, it's game over then.


Passive interception happens. Especially when you're using a cipher that isn't forward-secure; a breach of the server could allow it to decrypt previous sessions.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: