Hello Chris, thanks for the detailed information appreciate it.
chriii...@gmail.com schrieb am Donnerstag, 24. November 2022 um 03:24:06 UTC+7: > Hello. > > TLS is enough to encrypt and secure the connection, the whole point of > HTTPS protocol is to make a clear text channel secure. > > If someone is sniffing your HTTPS connection, will be not able to read the > traffic, except if the attacker performs a Man In the Middle and replace > the TLS certificate like burpsuite do, but if something like that happens, > there is no point to hash the username and password because capturing the > cookie session will be enough to enter the application, or even reutilizing > the transmitted hash. > > I'm not aware of any mechanism in web2py to hash the username/password. > Maybe you can achieve this by adding some javascript code that hash these > values when click on submit, and probably you will have to modify an > internal component in web2py to make the auth validation able to read your > hashed data. > > I've been working in the world of cyber security for a lot of years.... > and most of the times when someone point this like a vulnerability is > because probably he doesn't understand really well the materia and make an > alarm for something that is already protected. In this case HTTPS is > enough. If your cyber security officer is saying that the app is not > protected even using HTTPS and gives you examples with burpsuite, is clear > that he/she does not understand why burpsuite is able to decrypt data (due > their own certificate) and will think that everything is unencrypted. > > I've some banks that like to hash the transmitted data even with the > HTTPS protection. But again... this is not really secure because hashing > data before sending, would need to be performed in the browser via > javascript and if the hash process happens in the client side, you can see > how encryption is made and reverse it . Even if javascript functions are > obfuscated, you just have to put some breakpoints on the javascript console > (browser console) and catch events until you find where the hashing process > is made, and perform a reverse of that function. > > > Cheers. > Chris, > > El mié, 23 nov 2022 a las 15:59, Arglanir (<argl...@gmail.com>) escribió: > >> Hello, >> It is a big question, and does not concern only web2py. You can find >> people asking the same general question in StackOverflow. And the aswers >> are generic : The most important is the TLS communication. >> >> https://security.stackexchange.com/questions/110415/is-it-ok-to-send-plain-text-password-over-https >> >> (and see linked duplicate questions) >> Do you know any website that does hash the password client-side ? >> Arglanir >> >> >> Le mardi 22 novembre 2022 à 01:20:06 UTC+1, silvia...@gmail.com a écrit : >> >>> Thank you, but do you have any suggestions what to do cause our >>> cybersecurity officer keeps complaining about that wo I need change some >>> settings in web2py or do you have an idea how I can sort it out ? >>> >>> Kind regards >>> >>> Am Di., 22. Nov. 2022 um 02:23 Uhr schrieb Christian Varas < >>> chriii...@gmail.com>: >>> >>>> Hi, >>>> It's OK, it's the way it works, If you put s local proxy like burp and >>>> then you go and capture traffic, it is ok that you can see clear text data >>>> because burp proxy puts their own certificate between client and backend, >>>> because of that burp proxy can decrypt and show you clear text data. If >>>> you >>>> sniff with a packet capture like wireshark, you will see everything is >>>> encrypted. >>>> >>>> Salting your password/username before sending it is not really secure, >>>> because hashing the username/password before sending, would need to be >>>> performed in the browser via javascript and if the hash process happens in >>>> the client side, you can see how encryption is made and reverse it . >>>> >>>> Cheers. >>>> Chris. >>>> >>>> El lun, 21 nov 2022 a las 5:01, Silvian “Top 10 Answers” Cedru (< >>>> silvia...@gmail.com>) escribió: >>>> >>>>> Its weird why does web2py do not salt username and password before >>>>> sending it ? >>>>> >>>>> Silvian Cedru schrieb am Montag, 21. November 2022 um 09:25:05 UTC+7: >>>>> >>>>>> Here is a screenshot after sniffing the network and it is weird since >>>>>> it has HTTPS I thought you could not sniff out the password when someone >>>>>> logs ins so I need to salt or Hash it but I am not sure where I find the >>>>>> file and what to change . Would be awesome if someone could help. >>>>>> >>>>>> Silvian Cedru schrieb am Donnerstag, 17. November 2022 um 11:05:34 >>>>>> UTC+7: >>>>>> >>>>>>> Hello everyone , >>>>>>> >>>>>>> I just found out that when you login in my application my password >>>>>>> gets send in plain text even I thought it gets hashed does someone know >>>>>>> a >>>>>>> solution how to salt or hash the password before sending ? >>>>>>> >>>>>>> >>>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/web2py/3b380bb2-b908-4e8e-be5a-bc465196c38fn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/web2py/3b380bb2-b908-4e8e-be5a-bc465196c38fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web2py+un...@googlegroups.com. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJv2ddys7nQV5%3DCu7xbM%3DQ-vqu09%3DDL2ZMHoN2TNBYsO7A%40mail.gmail.com >>>> >>>> <https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJv2ddys7nQV5%3DCu7xbM%3DQ-vqu09%3DDL2ZMHoN2TNBYsO7A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/web2py/f5bbb64a-e5c0-4f06-bb5b-7dc529b97e45n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/web2py/f5bbb64a-e5c0-4f06-bb5b-7dc529b97e45n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/a92382d9-9fb3-4802-b93a-26790e98efd9n%40googlegroups.com.
