Pills schrieb:
Korbinian Bachl wrote:
This is nothing about wicket - its about base security. MD5 is a
hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no more
secure (flaw found 1996) as there are tables to reverse given md5 (from
2003 on) to a valid input
thank you for your answers. I know that MD5 isn't much secure, but it
doesn't matter (I just want to obfuscate them, to prevent an admin to get a
clear password from his admin console). But I agree, SHA may be better...
to get a wanted md5 collision requires a person that uses a rainbow
table under 1h time by a successrate at about 99,9% -
http://www.antsight.com/zsl/rainbowcrack/
I guessed there was a wicket way to 1) crypt some data before sending them
out of the client's browser (so it doesn't travel in clear) 2) compare it on
the server side with the required hashed password.
you want to use SSL (TLS now called) for this! -> go to a banklogin and
you see changing the http://www.mybank.com to https://www.mybank.com
see http://en.wikipedia.org/wiki/Transport_Layer_Security for a overview
I know how to write the crypto algorithm... I just don't know the best way
to integrate it into wicket. However, I saw some interface on Wicket (like
ICrypt) and guessed there is a way to use it well...
1. there are under 100 people on this planet that know how to write a
secure crapto algorithm - and believe me that we two arent anywhere near
them :)
2. AFAIK the ICrypt is good for obscuring the URL itself - not for the
content (but im not sure on this)
Thank you for your interest ;)
youre welcome,
Korbinian
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
