0

The web hosting service I am using has a bit of an ugly UI for logging into domain emails, so I just wanted to put a thin interface over the login screen. My goal is to have users submit their login credentials onto my custom form and then forward those credentials to the real login page and log them in, without showing the user all of the intermediate hoopla.

After some quick googling I found this, which looked like a good solution (the javascript portion of the accepted answer). However, I am not sure if this method is secure? I would just be taking in user data from an html/css form and forwarding it to a form on another URL. How safe is this?

Community
  • 1
  • 1
Jane Doe
  • 269
  • 3
  • 9
  • if you use location.hash or postMessage(), it's very secure, but if you use GET params or cookies, then it's very non-secure. – dandavis Jan 22 '14 at 17:23
  • You understand that this is how a lot of man in the middle attacks work right? They mock the original login page (like a banking site), then pass the credentials to the site themselves, stealing them along the way. Really bad idea. Why not just get a better email provider? gmail is cheap. – NotMe Jan 22 '14 at 17:25
  • Wow I didn't realize this would generate this much traction this fast. @ChrisLively I am making a website for a 'fake' company (school project) and the web hosting service we are using has a really ugly email interface. I was going to use this as an exercise in learning javascript but judging from the reactions this has to be done more securely hmm... too bad since that defeats the purpose of a thin interface just to cover the 'ugliness' of the web hosting UI. Oh well, thanks. – Jane Doe Jan 22 '14 at 17:54

2 Answers2

1

No this is not secured check my article on hashing sensitive data MD5 Hashing Javascript

The same library i mentioned in this article can do cipher output

this may work

enter image description here

Mina Gabriel
  • 23,150
  • 26
  • 96
  • 124
  • how does sending a hash enable the other side to fill in the password? do you expect the receiving end to have rainbow tables or something? and that's the other problem with this: md5 is very weak and can be broken in seconds on mediocre machines. – dandavis Jan 22 '14 at 17:25
  • The other side will use the same key to hash all the user name and passwords and compare what the client side send ... read to the end of the article – Mina Gabriel Jan 22 '14 at 17:26
  • really care about why is the DV – Mina Gabriel Jan 22 '14 at 17:27
  • @MinaGabriel AFAIK the asker has no privilege on the server, so how can he does password hashing backend process? – TruongSinh Jan 22 '14 at 17:37
  • Why is he doing this... he will fail with what is he trying to do i guess... what is the point of sending the username and password to another page other than validating ? – Mina Gabriel Jan 22 '14 at 17:41
-1

Honestly, there is no way you can securely send passwords via Javascripts without SSL. There might be, but without SSL there is no true way in wich the USER CAN VERIFY Whether or not sending the passwords is safe. So in order to safely send it you must purchase an SSL certificate.

What about MD5?

Well, even though MD5 helps a little, it is a hashing program which makes it unreversable.

Basically to wrap it up, if you don't have SSL you are not secure.

GOT SSL?

nathanleachman
  • 310
  • 2
  • 11
  • 3
    that's not really true. php cannot send info from one tab to the other without sending it over the wire, js can. – dandavis Jan 22 '14 at 17:26
  • That is not true either. Add html in the mix and sure it can – nathanleachman Jan 22 '14 at 17:27
  • 1
    *My Suggestion*: Learn JS. Anything that can be done in PHP could be done in JS, and more (browsers, Node.js). So be smart and choose JS. http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ – TruongSinh Jan 22 '14 at 17:27
  • ok, i'm curious, how would php send runtime-gathered user input from one page to another without using the internet? – dandavis Jan 22 '14 at 17:29
  • This is overly simplified and as far as i can see gives the OP little more info on the subject therefore -1 – helgeheldre Jan 22 '14 at 17:29
  • Really? In Javascript you can't store information into a database so that if something goes wrong you have a database backed up that only you can have access to? – nathanleachman Jan 22 '14 at 17:29
  • what does a DB have to do with safely transferring a password? aside: Chrome actually ships with two DBs if that makes you feel better about JS. – dandavis Jan 22 '14 at 17:30
  • 1
    @jacktherap , c'm, https://npmjs.org/package/mongoose as ORM for MongoDB (btw, do you know what MongoDB is? if not, https://github.com/felixge/node-mysql of MySQL, which every PHP dev should know) – TruongSinh Jan 22 '14 at 17:32
  • `OutOfBoundsException, OverflowException, RangeException, UnderflowException, UnexpectedValueException` – nathanleachman Jan 22 '14 at 17:32
  • @jacktherap have fun reading with those exception and and how to handle it http://nodejs.org/api/process.html . BTW, there are some exceptions that JS does not have, because it simply does not cause them, or a dev can cause them. – TruongSinh Jan 22 '14 at 17:35