[whatwg] whatwg Digest, Vol 82, Issue 10
rescator at emsai.net
Wed Jan 5 08:29:10 PST 2011
On 2011-01-04 22:59, Seth Brown wrote:
> That being said. Granting access to a particular script instead of an
> entire site sounds like a reasonable security requirement to me. As
> does using a hash to verify that the script you granted permission to
> hasn't changed.
A hash (any hash in fact, even "secure" ones) can only guarantee that
two pieces of data are different!
A hash can NEVER guarantee that two pieces of data are the same, this is
A hash can only be used to make a quick assumption that the data
probably are the same,
thus avoiding expensive byte by byte comparison in cases where the
If the hashes are the same then only a byte by byte comparison can
guarantee the data are the same.
Any cryptography expert worth their salt will agree to the statements above.
HTTPS which is continually evolving is a much better solution than just
relying on hashes and plain http,
I cringe each time I see a "secure" script that is delivered over http
which purpose is to encrypt the password you enter and send it to the
HTTP authentication however isn't so bad if only the damn plaintext
"basic" support was fully deprecated AND disallowed,
then again now that you can get domain certificates for free that are
supported by the major browsers HTTP Authentication is kinda being
overshadowed by HTTPS, which is fine I guess.
Just please don't "slap a hash on it" and think it's safe, that's all
I'm saying really.
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/
More information about the whatwg