View Single Post
Old 09 Nov 2014, 15:08
Dave Dave is offline
Join Date: Jun 2010
Real name: Dave
Originally Posted by nerbert View Post
A problem I see here is that the browser still transmits the password with the md5 hashes and an eavesdropper can still intercept them and crack them. All your advanced hashing happens on the server after it receives the md5 hashes. What you could do is replace the original vbulletin_md5.js file with one that does the md5 and bcrypt hashing . Then the password is better encrypted in transit. I think you would have to use vBulletin's original code and then add more code (available as open source) to further encrypt both versions of the hashes. Once this is done you could skip the PHP code that bcrypt hashes on the server

There's a further thing to consider though, it seems to me that there's a problem with vbulletin_md5.js and older (and maybe newer) versions of IE, so it don't encrypt at all. You'll have to check this out with various browsers. There's open source md5 javascript available and you could copy the vbulletin code that handles the difference between vb_login_md5password and vb_login_md5password_utf into the new md5 algorithm.
True, but this will be more difficult (because of cross-browser support if you want to implement other hashing methods with JavaScript). Also this is a reason why you should use HTTPS.
__________________ - security, development, exploits, vBulletin

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote