Re: 38k Member Forum
Reply #28 –
Cool.
NB I never said I was opposed to adding extra security, merely that I was opposed to purposefully breaking things with JS disabled. Obviously, from a security standpoint the addition of Javascript does eliminate most potential sniffing dangers. From the top of my head, the only attack I can think of is that someone in the position to sniff may also be in the position to alter or block the JS sent to the user so that they get a nice unhashed password, but that would take more effort. Encryption would guard against the latter possibility, but in that scenario you probably wouldn't gain much from hashed passwords in the first place. (Correct me if I'm wrong.)
What I meant to imply when I called for us to "keep in mind that it should always work with JS disabled or absent" is a warning message, for example:
<strong class="noJS">Warning: with Javascript disabled your password may be at greater risk of being sniffed by some script kiddie and/or the NSA.</strong>
coupled with, e.g.
$('.noJS').css('display', 'none'); // or however one might accomplish that in jQuery
And of course in my proposal you'd also flip the switch on a hidden INPUT element indicating whether or not the password comes prehashed.
Note that a warning or error message along those lines is a necessity regardless whether or not JS-less logins are supported. Javascript may have failed to load even when enabled because it was filtered by a proxy/firewall/malicious entity. As such, in a JS-only scenario there should be no forms on the page to prevent any accidental submissions. To prevent the layout from breaking you could just clone the children of a relevant DIV inside a newly created FORM element.