I am talking about real encryption (256bit SSL or more) and not hashing. Even if there is an eavesdroper, how could he decrypt a ssl encrypted datablock on a possibly ssl secured (HTTPS) connection? If there is an eavesdroper who is able to decrypt ssl secured data, i think changing passwords with the server instead, while he is watching, is pretty useless too. --- WhatsApp Web works smilar to this Idea only the oposite way, while you scan a code to be validatet through your android phone to gain access to the Web App we would want to gain access from the Android Phone.
And by the way, hashing is a one way encryption, since you can't decrypt an hash but only verify it. But anyway, was just an Idea... # # # # # # # # # # # # # # # # # # # # # # # # # # # ORIGINAL MESSAGE IS FOLLOWING # # # # # # # # # # # # # # # # # # # # # # # # # # MsgID: 87fubalti7....@wavexx.thregr.org From: Yuri D'Elia <wavexx-0pwbvmanqnmdnm+yrof...@public.gmane.org> Date: Mon, 25 Sep 2017 16:53:20 +0200 Subject: Re: Re: New Android client for DL available > On Sat, Sep 23 2017, Amen em hat Ankh wrote: > > in that constellation Frank would never deal with URLs, usernames or > > passwords and no private data is transfered through the net when he > > down or uploads stuff, except the the one and only time when he > > registeres a new device. > > How do you authenticate the device to be whitelisted though? > > If I understand this correctly, you would first generate the QR > manually, then scan it right away. So being able to scan the code is > what grants you access. After scanning, a token is sent to the server to > be whitelisted. > > However, you'd need to validate the new device manually as well > in order to be different than simple password authentication. Hashing > hardware information is useless if I can eavesdrop the connection, as I > can impersonate any token you provide. You need to share a secret with > the server first. >
