Closed Bug 212617 Opened 21 years ago Closed 18 years ago
Please note that this often-seen-on-the-web procedure is totally useless if your goal is to prevent sniffing the password on the wire. Any bad guy would of course sniff the md5sum and retransmit it in order to gain unauthorized access, without the need of knowing the original password. Essentially, the md5sum *is* the cleartext password. The only use of such procedure is to keep a server admin from accidentally seeing a password that a client might also use for other purposes. For more security, use at least HTTP digest authentication as described in RFC 2617. You might also consider basic auth over HTTPS.
No, this is wrong. A carefully-written JS would include a timestamp to prevent replay attacks. HTTPS connections would require a certificate, which such scripts work around. (Self-signed certs are not trusted and issue a warning which would be bad in some situations.)
Just a thought, but this bug looks like a duplicate of bug #235765.
*** Bug 235765 has been marked as a duplicate of this bug. ***
bug 235765 is not a dupe, Firefox has its own password manager implementation.
Assignee: dveditz → nobody
This bug should have been fixed by the non-passwordmanager specific changes in bug 257781. (at the same time, it has caused the regression in bug 343182)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.