if i'm reading it right, this doesn't sound all that solid to me. what's keeping a password guessing bot from just mimicking all of the javascript's functionality? especially since it looks like all of your 'secret' strings are sent across the network in cleartext.
really, the only way to protect yourself at all from a brute force guesser is to cut off the IP after a couple incorrect guesses. even then, a determined attacker with access to a lot of IP addresses and in no hurry could still be dangerous.
another big problem i see with your approach is just the amount of complexity involved. cryptographic protocols are exceedingly hard to design and implement correctly. the more complex it is, the easier it is to screw up one little piece and comprimise the whole system.
if your client is going to insist on using weak, guessable passwords, probably the best thing you could do would be to implement a public key system. the client creates a keypair on their machine, encrypting the private key with whatever weak password they want to use, and gives you a copy of the public key. then the server generates a random challenge string, encrypts it with their public key and sends it to the browser. the user copies and pastes the ciphertext into a pgp app, decrypts it and pastes the results back into a web-form. the server checks it and sets a session cookie if it matches the original. this would still have to be done over SSL or the session could be hijacked later on by someone snooping the network. as long as the client's machine or private key isn't comprimised, you're ok.
the simplest and most highly recommended solution though is to just convince your client that they need to use good passwords and then use regular HTTP authentication over SSL.
In reply to Re: Security and JavaScript
by thraxil
in thread Security and JavaScript
by rlgarris682
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |