EvilZone

Hacking and Security => Hacking and Security => : Mmwwaaaa March 30, 2015, 03:49:41 PM

: Preferred way to obfuscate passwords over HTTP?
: Mmwwaaaa March 30, 2015, 03:49:41 PM

How do you like to prevent the odd person from sniffing your HTTP passwds (https://url.spec.whatwg.org/)?

Regards,

: Re: Preferred way to obfuscate passwords over HTTP?
: HTH March 30, 2015, 03:57:15 PM

Short answer, you don't. Use SSL.

Longer less desirable answer: Client Side Crypto. Essentially forming your own SSL (crypto wise) using PKI (RSA) to share a symmetric key then sending the password over encrypted(AES) with said symmetric key.

This could still be worked around because you're missing the Certificate Authority part, and a few other things but it would stop the average fgt with wireshark.

Have I mentioned SSL?

: Re: Preferred way to obfuscate passwords over HTTP?
: proxx March 31, 2015, 09:15:15 PM

What HTH said, also lol SSL doesnt have the best name at this point in time :P

: Re: Preferred way to obfuscate passwords over HTTP?
: Mmwwaaaa April 01, 2015, 04:26:01 AM

You have, Yes. SSL sounds great....To me. Not to all.

Say a multi national company was to HTTP. They care not for SSL.. Basically my situation.

Regards,

: Re: Preferred way to obfuscate passwords over HTTP?
: HTH April 01, 2015, 10:30:42 AM

Then you smack whoever you need to around until they accept SSL/TLS...

: Re: Preferred way to obfuscate passwords over HTTP?
: Teapot April 01, 2015, 04:14:50 PM

I assume their issue with SSL is the Heartbleed vuln from a year or two ago?

Assure them that SSL/TLS is very secure and that while nothing is completely secure it is your best option and very trusted.

: Re: Preferred way to obfuscate passwords over HTTP?
: Mmwwaaaa April 02, 2015, 02:13:06 AM

First rule, Never Assume.

: Re: Preferred way to obfuscate passwords over HTTP?
: Stackprotector April 02, 2015, 11:59:15 AM

Use long passwords in combination with scrypt :)