[TYPO3-english] Salted Passwords & RSA: temp directory path

[Christian Lerrahn]

Hi Francois,
On Tue, 13 Mar 2012 12:29:07 +0100
François Suter <fsu-lists at cobweb.ch> wrote:

> > * is the RSA Extension really needed for increased security?
> 
> Yes, it's better than SSL.

Sorry to say but I have no clue why you suggest that rsaauth provides
better security than SSL. There is several reasons I could cite why it
doesn't.

1. rsaauth only encrypts the login process. Your BE session is not
encrypted as a whole as it would be with SSL.

2. rsaauth doesn't even encrypt the password when you change it in the
backend.

3. rsaauth has no mechanism to resist man-in-the-middle (MITM) attacks.
While hardly anyone might do that, it is possible to check the finger
prints of SSL certificates before accepting them (against a reliable
source). Even though SSL MITM might be easier to perform because of
tools being available that do everything for you, it would be a
reasonable simple challenge to write a MITM attack for rsaauth (all you
need is to get in the middle and run a web server with the same kindof
RSA implementation).

4. rsaauth happens without the user's knowledge. If you managed to
disable it on a website as an attacker, the user most likely would not
know that you did. Even relative internet noobs have learned that there
is a difference between http and https, however (certainly not
everyone though).

So, taking all these points into account, I would suggest that SSL is
still more secure than rsaauth. I wish there was a STARTTLS standard
for https, so we could just use SSL even on shared hosts and wouldn't
have to live with makeshifts like rsaauth...

Cheers,
Christian