Authentication Security

cdrom600 · Post by **cdrom600** » Sun Jan 23, 2005 12:14 am

I use Serendipity on my Web site, ChrisDZOMBAK.net. I have some concerns about the security of authentication over a nonsecure connection.
I can see my password being transmitted "in-the-clear" when I log into my blog (using the Firefox extension Live HTTP Headers). There is a way to do secure logins without an HTTPS connection - please read Secure Authentication over Standard HTTP for details.
Is there any desire to implement this? I may look into creating a plugin to do this, but it will take a while - it would be my first.

tomsommer · Post by **tomsommer** » Sun Jan 23, 2005 2:03 am

It's a web problem, the browser will send anything you enter in the form as clear text.

If you are so freaked about security, I would suggest you use an SSL connection.

cdrom600 · Post by **cdrom600** » Sun Jan 23, 2005 4:12 am

Yes, but my host doesn't offer SSL, and I can't really afford one that does.
I'm reading the plugin docs as I write this, but I don't see a hook for the admin login. If I were to add a hook there and write the plugin, is it possible that it could be placed into CVS?

tadpole · Post by **tadpole** » Sun Jan 23, 2005 5:30 am

Your idea has no identity management. If people can see your traffic, they can probably change the data (it's really quite easy if you understand TCP, but I digress) and have the key transmitted. You may think that sounds like a lot of work just to get your password, and you're right. The good thing is that if someone has the skill to get a sniffer on a router in your path they'll be after much juicier targets than your blog.

There are two books you should really look into, both by Bruce Schneier: Secrets and Lies, which will hopefully put your paranoia in perspective, and Applied Cryptography 2nd Edition, which will teach you exactly how to put your paranoia to good use :)

Post by **garvinhicking** » Sun Jan 23, 2005 2:27 pm

I agree with Tom and tadpole, but if you're really eager into writing an authentication plugin, you should have a look at Serendipity 0.8. There is a new event hook which we used for the additional plugin serendipity_event_externalauth. It currently only has the stub for authentication, but not for the input panel. But you can easily add your own event hook into that form.

Using Serendipity 0.8, edit the serendipity_admin.php file and search for 'PLEASE_ENTER_CREDENTIALS'. You can modify that login form by adding a event hook - if you don't know how to do that, just patch your needed code into the file and I will turn it to an event afterwards.

That is, if you still want to pursue that idea.

Regards,
Garvin

cdrom600 · Post by **cdrom600** » Sun Jan 23, 2005 7:05 pm

I'll look into those hooks and possibly ad done - I read how in the plugin docs.

tadpole: I don't really know much about TCP, but I do know that as the password is being transmitted as a MD5 hash, it can't be changed or decrypted. The point is not really to create a secure connection - simply to make it so you can't find the user's password OR capture the entire session then replay it.

cdrom600 · Post by **cdrom600** » Sun Jan 23, 2005 7:09 pm

And never mind this whole thing, as it's not really secure.
You simply listen to get the MD5 hash of the password, then enter it in the password field and turn off Javascript. Then it doesn't get re-hashed by the client, and the server checks and thinks that you knew the real password.
I need a HTTPS-enabled server

but I can't afford one.

I'll still implement this, though - even though anyone who can get the hash of the password will probably be able to figure this out.