[TYPO3-english] Salted Passwords & RSA: temp directory path
Christian Lerrahn
christian.lerrahn at cerebrum.com.au
Mon Mar 19 07:32:54 CET 2012
Hi Francois,
On Tue, 13 Mar 2012 12:29:07 +0100
François Suter <fsu-lists at cobweb.ch> wrote:
> > * is the RSA Extension really needed for increased security?
>
> Yes, it's better than SSL.
Sorry to say but I have no clue why you suggest that rsaauth provides
better security than SSL. There is several reasons I could cite why it
doesn't.
1. rsaauth only encrypts the login process. Your BE session is not
encrypted as a whole as it would be with SSL.
2. rsaauth doesn't even encrypt the password when you change it in the
backend.
3. rsaauth has no mechanism to resist man-in-the-middle (MITM) attacks.
While hardly anyone might do that, it is possible to check the finger
prints of SSL certificates before accepting them (against a reliable
source). Even though SSL MITM might be easier to perform because of
tools being available that do everything for you, it would be a
reasonable simple challenge to write a MITM attack for rsaauth (all you
need is to get in the middle and run a web server with the same kindof
RSA implementation).
4. rsaauth happens without the user's knowledge. If you managed to
disable it on a website as an attacker, the user most likely would not
know that you did. Even relative internet noobs have learned that there
is a difference between http and https, however (certainly not
everyone though).
So, taking all these points into account, I would suggest that SSL is
still more secure than rsaauth. I wish there was a STARTTLS standard
for https, so we could just use SSL even on shared hosts and wouldn't
have to live with makeshifts like rsaauth...
Cheers,
Christian
More information about the TYPO3-english
mailing list