[This is bit off-topic. I'm posting here to get some sort of PHP
solution]
This is regarding secure login implementation in PHP. I'm trying to
understand <http://mail.yahoo.com/> If I understand right, they're
passing the md5 hash instead of the password itself. But, I couldn't
understand the use of "challenge" string in their mechanism. IIRC,
sometimes ago, I read somewhere that this kind of system is not secure
at all. Does anyone have any idea?
--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com
18  2360 
R. Rajesh Jeba Anbiah wrote: [This is bit off-topic. I'm posting here to get some sort of PHP
solution]
This is regarding secure login implementation in PHP. I'm trying to
understand <http://mail.yahoo.com/> If I understand right, they're
passing the md5 hash instead of the password itself. But, I couldn't
understand the use of "challenge" string in their mechanism. IIRC,
sometimes ago, I read somewhere that this kind of system is not secure
at all. Does anyone have any idea?
If your are speaking about HTTP header fields, this is part of the HTTP
standard. You may read the HTTP's rfc for further details.
<http://www.faqs.org/rfcs/rfc2616.html>
--
Guillaume Brocker
Guillaume Brocker <gu***************@ircad.u-strasbg.fr> wrote in message news:<40*********************@news.free.fr>... R. Rajesh Jeba Anbiah wrote: [This is bit off-topic. I'm posting here to get some sort of PHP
solution]
This is regarding secure login implementation in PHP. I'm trying to
understand <http://mail.yahoo.com/> If I understand right, they're
passing the md5 hash instead of the password itself. But, I couldn't
understand the use of "challenge" string in their mechanism. IIRC,
sometimes ago, I read somewhere that this kind of system is not secure
at all. Does anyone have any idea?
If your are speaking about HTTP header fields, this is part of the HTTP
standard. You may read the HTTP's rfc for further details.
<http://www.faqs.org/rfcs/rfc2616.html>
Thanks for your reply. You might have misunderstood my post. My
question was about secure login implementation & how far Yahoo! is
secure with their system. They use md5 hash as well as "challenge"
string. (I couldn't understand the reason behind "challenge" string;
but I understand the md5 hash).
--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com
Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> napisal w
wiadomosci news:ab**************************@posting.google.c om... Thanks for your reply. You might have misunderstood my post. My
question was about secure login implementation & how far Yahoo! is
secure with their system. They use md5 hash as well as "challenge"
string. (I couldn't understand the reason behind "challenge" string;
but I understand the md5 hash).
The purpose of the challenge string is to make the md5 hash unique for every
login attempt. Otherwise, if the md5 hash is the same every time, then
someone who's intercepted the hash can just use the hash to log into the
system--in essence, the md5 hash has become the password.
HTTP's digest authentication is based such a challenge/response mechanism,
so it's worthwhile to take a look at the RFC.
"Chung Leong" <ch***********@hotmail.com> wrote in message news:<RJ********************@comcast.com>... Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> napisal w
wiadomosci news:ab**************************@posting.google.c om... Thanks for your reply. You might have misunderstood my post. My
question was about secure login implementation & how far Yahoo! is
secure with their system. They use md5 hash as well as "challenge"
string. (I couldn't understand the reason behind "challenge" string;
but I understand the md5 hash).
The purpose of the challenge string is to make the md5 hash unique for every
login attempt. Otherwise, if the md5 hash is the same every time, then
someone who's intercepted the hash can just use the hash to log into the
system--in essence, the md5 hash has become the password.
HTTP's digest authentication is based such a challenge/response mechanism,
so it's worthwhile to take a look at the RFC.
Thanks a lot for you info. I was thinking that he misunderstood my
post. I'll certainly look at the RFC.
BTW, I'm still scratching my head on it. If I understand right,
they're also passing the challenge string to the server and they pass
all the variables via the URL. I still wonder how this will be secure.
Sometimes ago I read an article that says this method is not secure;
but I lost that link now.
--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com
I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following: BTW, I'm still scratching my head on it. If I understand right,
they're also passing the challenge string to the server and they pass
all the variables via the URL. I still wonder how this will be secure.
Sometimes ago I read an article that says this method is not secure;
but I lost that link now.
Are they not using javascript to generate a combination MD5 hash?
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Geoff Berrow <bl******@ckdog.co.uk> wrote in message news:<tv********************************@4ax.com>. .. I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following:
BTW, I'm still scratching my head on it. If I understand right,
they're also passing the challenge string to the server and they pass
all the variables via the URL. I still wonder how this will be secure.
Sometimes ago I read an article that says this method is not secure;
but I lost that link now.
Are they not using javascript to generate a combination MD5 hash?
They use JS to generate md5. But, I couldn't get your "hint" :-(
BTW, if I understand right they stuff the challenge string in
session or DB before showing it in form; and after the form is get
sumbitted(in Yahoo! they use only GET) they validate the inputs. If
this is true, I think CAPTCHA technique will be better than this.
--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com
I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following: Are they not using javascript to generate a combination MD5 hash?
They use JS to generate md5. But, I couldn't get your "hint" :-(
I meant, do they do an MD5 of the password /and/ the challenge string
together. So that the hash would never be the same and could not be
intercepted and used as a password.
Can't see the point of doing an MD5 client side otherwise.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
If I may ask, are you trying to gain knowledge or are you trying to write
something that interacts with yahoo?
if you are trying to check mail on yahoo, then pop it from
pop.mail.yahoo.com
--
Mike Bradley http://www.gzentools.com -- free online php tools
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om... [This is bit off-topic. I'm posting here to get some sort of PHP
solution]
This is regarding secure login implementation in PHP. I'm trying to
understand <http://mail.yahoo.com/> If I understand right, they're
passing the md5 hash instead of the password itself. But, I couldn't
understand the use of "challenge" string in their mechanism. IIRC,
sometimes ago, I read somewhere that this kind of system is not secure
at all. Does anyone have any idea?
--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com
Geoff Berrow <bl******@ckdog.co.uk> wrote in message news:<7b********************************@4ax.com>. .. I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following:
Are they not using javascript to generate a combination MD5 hash?
They use JS to generate md5. But, I couldn't get your "hint" :-(
I meant, do they do an MD5 of the password /and/ the challenge string
together. So that the hash would never be the same and could not be
intercepted and used as a password.
Yes, they form another hash with the help of challenge string as
Chung Leong said. If I understand right, CAPTCHA technique will be
better than this. I have also looked at HTTP Digest Authentication
which uses such challenge string mechanism; but it seems to be useless
(<http://static.userland.com/userLandDiscussArchive/msg012483.html>)
Can't see the point of doing an MD5 client side otherwise.
Yes, this guy has some hacking like stuff
<http://theory.cs.iitm.ernet.in/~arvindn/yahoo/> And, finally I
couldn't find anything better except the secure server solution.
--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com
"CountScubula" <me@scantek.hotmail.com> wrote in message news:<Xj*****************@newssvr29.news.prodigy.c om>... If I may ask, are you trying to gain knowledge or are you trying to write
something that interacts with yahoo?
I'm trying to find better but secure login system. And, also
analyzing if Yahoo! has better system or not.
--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com
Oh, ok.
hmm, try using a SSL page for login ?
--
Mike Bradley http://www.gzentools.com -- free online php tools
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om... "CountScubula" <me@scantek.hotmail.com> wrote in message
news:<Xj*****************@newssvr29.news.prodigy.c om>... If I may ask, are you trying to gain knowledge or are you trying to
write something that interacts with yahoo?
I'm trying to find better but secure login system. And, also
analyzing if Yahoo! has better system or not.
--
"Democracy: Where all citizens are politicians and all politicians
are citizens"
Email: rrjanbiah-at-Y!com
"CountScubula" <me@scantek.hotmail.com> wrote in message news:<AR*******************@newssvr29.news.prodigy .com>... Oh, ok.
hmm, try using a SSL page for login ?
Yeah, that's seems to be the only bullet-proof solution :-(
--
"Democracy: Where all citizens are politicians and all politicians are citizens"
Email: rrjanbiah-at-Y!com
I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following: hmm, try using a SSL page for login ?
Yeah, that's seems to be the only bullet-proof solution :-(
Plus regular checks to make sure keystroke loggers are not installed.
I'm sometimes amused at people who go to such lengths over security.
they are probably the same people who casually hand over their credit
card to the waiter in a restaurant...
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
I use an md5 challenge with my waiter when I hand him a credit card, but he
usualy has a blank look on his face.
--
Mike Bradley http://www.gzentools.com -- free online php tools
"Geoff Berrow" <bl******@ckdog.co.uk> wrote in message
news:ag********************************@4ax.com... I noticed that Message-ID:
<ab**************************@posting.google.com > from R. Rajesh Jeba
Anbiah contained the following:
hmm, try using a SSL page for login ?
Yeah, that's seems to be the only bullet-proof solution :-(
Plus regular checks to make sure keystroke loggers are not installed.
I'm sometimes amused at people who go to such lengths over security.
they are probably the same people who casually hand over their credit
card to the waiter in a restaurant...
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Uzytkownik "CountScubula" <me@scantek.hotmail.com> napisal w wiadomosci
news:KU*****************@newssvr27.news.prodigy.co m...
I use an md5 challenge with my waiter when I hand him a credit card, but
he usualy has a blank look on his face.
Next time, just kill the guy. He would be the human equivalence of an one
time pad :-p
Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> napisal w
wiadomosci news:ab**************************@posting.google.c om... Yes, they form another hash with the help of challenge string as
Chung Leong said. If I understand right, CAPTCHA technique will be
better than this. I have also looked at HTTP Digest Authentication
which uses such challenge string mechanism; but it seems to be useless
(<http://static.userland.com/userLandDiscussArchive/msg012483.html>)
Can't see the point of doing an MD5 client side otherwise.
If I understand Yahoo's intention correctly, the purpose of this login
mechanism isn't to protect the e-mail account. If you're communicating
across an insecure channel then by definition the communication isn't
secure. What they're trying to do is conserve server resource by not using
SSL for things that aren't too sensitive, while at the same time, not
compromise the user password, which is also used in other, more sensitive,
SSL protected areas of their site, like Yahoo bill pay. It's a pragmatic
solution I would say.
I noticed that Message-ID: <Cc********************@comcast.com> from
Chung Leong contained the following: If I understand Yahoo's intention correctly, the purpose of this login
mechanism isn't to protect the e-mail account. If you're communicating
across an insecure channel then by definition the communication isn't
secure. What they're trying to do is conserve server resource by not using
SSL for things that aren't too sensitive, while at the same time, not
compromise the user password, which is also used in other, more sensitive,
SSL protected areas of their site, like Yahoo bill pay. It's a pragmatic
solution I would say.
Ok, that makes sense.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:Cc********************@comcast.com...
"CountScubula" <me@scantek.hotmail.com> napisal w wiadomosci
news:KU*****************@newssvr27.news.prodigy.co m...
I use an md5 challenge with my waiter when I hand him a credit card, but
he usualy has a blank look on his face.
Next time, just kill the guy. He would be the human equivalence of an one
time pad :-p
Again, some times I feel so stupid, why didnt I think of that?
--
Mike Bradley http://www.gzentools.com -- free online php tools This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: dan roberts |
last post by:
Folks,
This is my first Python project so please bear with me. I need to
download data from Yahoo Finance in CSV format. The symbols are
provided in a text file, and the project details are...
|
by: Brett |
last post by:
In Yahoo mail, I click the Inbox link and see my messages. If I view
source, I don't have HTML which contains the URL of each message. The
source HTML contains javascripting and framesets. This...
|
by: autogoor |
last post by:
2. autog...@yahoo.com Aug 1, 10:55 am show options
Newsgroups: comp.infosystems.www.authoring.html, comp.lang.javascript
From: autog...@yahoo.com - Find messages by this author
Date: 1 Aug...
|
by: Someone |
last post by:
Using C#, ASP.NET
I'm trying to implement Yahoo search API. I can sent the HTTP request and
get back the results. The problem I have is that I don't know how to use
XPath with the results than...
|
by: erdem kemer |
last post by:
i cant send mail to yahoo mail or hotmail while i can send my other mail
accounts (pop3)
is it becouse yahoo and hotmail is web-based mail
here is the code
MailMessage mailMsg = new...
|
by: Matt Kruse |
last post by:
I just found out about this:
http://developer.yahoo.net/yui/
Some of the utils look interesting, but I've looked at just a few snippets
of code and it's not all that hot, IMO.
Any opinions on...
|
by: Dave Lee |
last post by:
My apologies for probably being in the wrong group, but there does seem to
be some discussion possibly related to my problem. I have a typical,
personalized "my.yahoo" page and recently most all of...
|
by: Page O Rama |
last post by:
Hi,
R U BLOCKED ON MSN,YAHOO,ICQ OR AOL Messenger By Your Friend, Then What
are you waiting for.Visit one of the link below to
find out who has blocked you in his/her friend list.
MSN Block...
|
by: HI-Liter |
last post by:
On the web page http://news.yahoo.com if you go down the page to "Top Stories", "Most Popular", or any of the other categories,
and hover over the links to various articles in any of these...
|
by: PeterAlt |
last post by:
I have a Yahoo store. In order for me to access via javascript or HTML (on the client side) any information stored in Yahoo's product fields, I have to use something that looks like this...
...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
