> Hmm. Does it do anything to protect against man-in-the-middle > grabbing of the encrypted token? I seem to recall hearing that LJ > does something elaborate to that end w/ JS (possibly dependent on > HTTPS).
Yes, LiveJournal (and Dreamwidth) use a challenge/response system. Basically, the server gives you a special one-time-use code. Your browser then hashes* your password, hashes it with the challenge, and sends this new value back to the server. The server then combines the original challenge with your password hash from the database and sees if it comes up with the same answer you sent. Which is a complicated way of saying "yes, we protect from man-in-the-middle attacks in an industry-standard way." * You call it encryption, but it's really MD5 hashing. Hashing is generally more secure than encryption because it's one-way. You can't reverse a hash to the password. (Well, MD5 is theoretically broken, but nobody has actually broken it in the wild, to my knowledge. When there is more built-in support for SHA1 in browsers everywhere [there may be already, I haven't checked recently] we will look at switching to that. This edition of 'more than you ever cared about' brought to you by the letter Q...) -- Mark Smith / xb95 [email protected] _______________________________________________ dw-discuss mailing list [email protected] http://lists.dwscoalition.org/cgi-bin/mailman/listinfo/dw-discuss
