[whatwg] whatwg Digest, Vol 82, Issue 10

Roger Hågensen rescator at emsai.net
Wed Jan 5 08:29:10 PST 2011


On 2011-01-04 22:59, Seth Brown wrote:
> That being said. Granting access to a particular script instead of an
> entire site sounds like a reasonable security requirement to me. As
> does using a hash to verify that the script you granted permission to
> hasn't changed.
>
> -Seth

A hash (any hash in fact, even "secure" ones) can only guarantee that 
two pieces of data are different!
A hash can NEVER guarantee that two pieces of data are the same, this is 
impossible.
A hash can only be used to make a quick assumption that the data 
probably are the same,
thus avoiding expensive byte by byte comparison in cases where the 
hashes differ.
If the hashes are the same then only a byte by byte comparison can 
guarantee the data are the same.
Any cryptography expert worth their salt will agree to the statements above.

HTTPS which is continually evolving is a much better solution than just 
relying on hashes and plain http,
I cringe each time I see a "secure" script that is delivered over http 
which purpose is to encrypt the password you enter and send it to the 
website.
HTTP authentication however isn't so bad if only the damn plaintext 
"basic" support was fully deprecated AND disallowed,
then again now that you can get domain certificates for free that are 
supported by the major browsers HTTP Authentication is kinda being 
overshadowed by HTTPS, which is fine I guess.

Just please don't "slap a hash on it" and think it's safe, that's all 
I'm saying really.


-- 
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/




More information about the whatwg mailing list