Safest way to send username + password? [AJAX]

Get help using Construct 2

Post » Wed Jun 01, 2016 1:04 pm

grigrizljac wrote:This plugin, I guess, should do the trick.
Since there are two keys – private (on server) and public (in C2), it's harder (I think it's impossible, correct me if I'm wrong) for a hacker to decrypt it. Even if they know the public key, they can only encrypt data and send it to the server, but cannot decrypt it.
Also, it's a good idea to encrypt the public key a bit (instead of plain-pasting it to C2, maybe split it into lots of pieces, then use these pieces together to compose it, change numbers to equations etc.).


Nothing is impossible, sadly. Most encryption schemes can be cracked by super computers doing cryptanalysis given enough time. The idea behind a secure system is that the lifetime of the information being secured is shorter than the amount of time it takes to break into a secure system. However, more often, hackers use system vulnerabilities or social engineering to break into the system, like Heartbleed, ShellShock, or spear phishing. Our servers were attacked with ShellShock attacks even before it really became widely known, so I was patched before it was widely publicized simply because I was keeping an eye on our server logs.

As far as SSL is concerned, the easiest way to "crack" it is to execute a man-in-the-middle attack replacing the SSL certificate with another local one. This is detectable though and can be protected against with browser certificate trust settings. It should be noted though that SSL doesn't protect your server. It protects your user's passwords and usernames in transit between them and you.

But for our purposes(and yours too), SSL (public-private or asymmetric key cryptography) is as good as we need.

You shouldn't need to encrypt the public key. That one is public because it only allows people to encrypt data back to you, not decrypt anything. The private key can be encrypted on your server, but you need to be able to decrypt it readily, which ties back into my question about how to secure symmetric keys on your servers. I know a lot of sys admins use TrueCrypt to just encrypt the entire drive partition, but I am not sure if this works on virtual partitions or not.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
18
S
5
G
1
Posts: 1,134
Reputation: 4,046

Post » Wed Jun 01, 2016 4:24 pm

lennaert someone else is pointing out what I was saying. I seen more christmas then you had since you had your nappy changed lennaert
B
206
S
27
G
13
Posts: 1,840
Reputation: 35,800

Post » Wed Jun 01, 2016 5:15 pm

Well it's not really true that everything can be hacked. Of course your "system" security is not only encryption of data transfers, but your server setup, gateway, firewall, browser and bunch of other things depends on the system.

But these are usually pretty well done. It's not the weak encryption of data which usually fails. It's human who usually fails. Let's take Kevin Mitnick for instance. He is considered the most famous hacker in the world. There are books and movies about his life. Even such a guy as Kevin wasn't always able to crack/hack things in let's call it "digital way". He was doing more personal tricks. He talked to lady who was working in some company to get some information in a tricky way etc. So hacking is much more than fighting with encryption, scanning ports, sniffing network etc.

I am not an expert in security but as I am aware there is still no super computer in the world which can break 8-character UTF password encrypted with some one-way encryption like SHA1 during average man's lifetime. So there is no way to actually crack encrypted data, but there are ways to by-pass encryption.

What is usually enough to sleep stressless is SSL + params salted encryption with API-KEY. Companies from around the world use it by default for their webshops etc. This is a standard which is simply enough for e-commerce so I am sure it is enough for indie game industry as well. Just don't leave your data transfers plain text and you're quite fine :).
Image
B
24
S
11
G
41
Posts: 791
Reputation: 24,100

Post » Fri Jun 24, 2016 7:01 am

@Lordshiva1948 wrote:lennaert someone else is pointing out what I was saying. I seen more christmas then you had since you had your nappy changed lennaert



Great that you compare christmas and nappies with computer science knowledge ...
Everyone llkely has a super computer and is interrested in the childish stuff you post. rofl


I have likely forgotten more about computer science and programming then you have ever understood on the subject .....
Who dares wins
B
50
S
10
G
10
Posts: 1,728
Reputation: 12,867

Post » Fri Jun 24, 2016 8:57 am

you took your time answering post comments? Was you searching for Ashley to back you up
B
206
S
27
G
13
Posts: 1,840
Reputation: 35,800

Post » Fri Jun 24, 2016 10:05 am

Lordshiva1948 wrote:you took your time answering post comments? Was you searching for Ashley to back you up


Nope, I was enjoying life instead of pretending to know and understand things like yourself, on a forum where you think portraying yourself as such is important :)

... shiva would be proud of you, hehehe
Who dares wins
B
50
S
10
G
10
Posts: 1,728
Reputation: 12,867

Post » Fri Jun 24, 2016 1:34 pm

lennaert nope I am not important and for your info Shiva is proud of you too. He bless you and your loved one too in health and wealth
B
206
S
27
G
13
Posts: 1,840
Reputation: 35,800

Post » Fri Jun 24, 2016 2:01 pm

I would like to know if 2 step authentication like this or this would be possible in any way, that would it make really hard to steal accounts.

[EDIT:]
This and this one are even open source, so a plugin for construct would be a nice addition :D
B
8
S
2
G
4
Posts: 62
Reputation: 2,584

Post » Sat Jun 25, 2016 12:20 am

Yea those both work for authentication. Two factor authentication is one of the most secure ways to do authentication.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
18
S
5
G
1
Posts: 1,134
Reputation: 4,046

Previous

Return to How do I....?

Who is online

Users browsing this forum: Axiomaltd, jeffige and 25 guests