@ailivac said:
Everyone (ESPECIALLY programmers) should know by now that clients can NEVER be trusted with sensitive information.
It's a matter of hearing it, or a matter of sitting down and just applying logic, yet empirical evidence shows that people don't.
The problem, as I see it, is to make sure that everyone who enters the programming world, by whatever book, (possibly incompetent) teacher, learns this maxim. Reaching all those who are already in it will be impossible, short of something that would reach every person in the whole world, most of which it would be irrelevant to.
But what I really don't get is why
anyone would proclaim that
everyone should know
anything in particular.
A couple years ago I hacked together a little salted-hash-based password form with maybe a hundred lines of Perl and Javascript... please tell me I'm not the only person who's ever tried this??
In decreasing order of probability, your system had one of these properties:
-Storing plaintext passwords on the server
-Constant (per-user) salt, meaning no protection against replay attacks.
-HUGE DATABASE of password hashes valid for a particular user.
The first seems to be a bigger no-no than transmitting them in the clear, I guess particularly as the size of the site (usercount) increases.
And I suppose "server breakin" is (considered) more likely than someone sniffing the wire near the server.
Then there's the "encrypt some stuff so you look secure" approach that Gmail and others take: they go to the trouble of getting a certificate and configuring an SSL server, but only use it for the login, so once you're logged in, unless you typed httpS://mail.google.com in the first place, it drops you back to a cleartext channel so all that precious information that you're using a password to secure in the first place is right there for anyone sitting near the same wireless hotspot as you to easily and undetectably grab out of the ether.
First of all, most browsers, by default, warn you of this. If you turn it off, that should be because you're not interested in knowing, right? (Well, most don't care and only see it as a bother/hindrance to what they're trying to do, but that's not the browser's fault.)
On the other hand, look at what you do protect.
The ability to
-access the data in the future (when the user has moved on to another place)
-alter or remove the data
-send mail (verifiably) from that user
-probably more that I missed.
Does running an entire site through SSL really make it that much slower, especially when you're processing everything through non-byte-compiled Ruby scripts?
Even AES, which was selected on performance grounds, is a drain on processing power which will probably exceed even interpreted languages producing the mentioned output. We are then talking of more than a doubling of processing power required.
I swear I've seen hardware crypto accelerators for sale for a few years....
You sound like you (again) assume everybody (who would be maintaining a site which it would be useful for, at least) know about something you do.
These products have not become very famous then. I can think of a few possible reasons:
-Problems integrating such hardware with whatever webserver setup you are using.
-Stiff price, since they may often be needed in bulk. (I'm only guessing)
-Low need, because people are happy to have only the "access control" part secured. (In ignorance, sure, but it is a reason)
-Low visibility where it is indeed installed.
-If the cards aren't capable
enough they may become the bottlenecks themselves. This is one more thing to troubleshoot...
-Marketing (This being a factor as important as any technical merits is one of my pet peeves, but it's there.)
And are self-signed certs really that bad? Unless someone happens to be dns-spoofing the site you're connecting to the first time you accept the certificate, and that same person does it with the same fake certificate every other time, what's the difference?
A user on YOUR next-hop can create the certificates on-the-fly and self-sign them, doing a mitm attack on you for every site you visit.
I take it you were tired... it shows.