vedard

joined 1 year ago
sorted by: new top controversial old
3
How Target Was Breached in 2013 (blog.0x7d0.dev)
2
How Equifax Was Breached in 2017 (blog.0x7d0.dev)
90
How AES Is Implemented (blog.0x7d0.dev)
 

In this article, I explain how AES encryption works and how the algorithm is implemented.

1
Unlocking Discord Nitro Features for Free (blog.0x7d0.dev)
2
How They Bypass YouTube Video Download Throttling (blog.0x7d0.dev)
1
How the Nintendo Wii Security Was Bypassed (blog.0x7d0.dev)
Passwords sent as plaintext? in c/infosecpub@infosec.pub
[–] vedard@infosec.pub 4 points 1 year ago (1 children)

You are describing TLS, which is commonly used for websites and web apps.

Try the following command:

openssl s_client -connect infosec.pub:443

The public key, the authority that signed the certificate, and the cypher used will all be visible.

For me, the cipher used is ECDHE-RSA-AES256-GCM-SHA384.

Passwords sent as plaintext? in c/infosecpub@infosec.pub
[–] vedard@infosec.pub 5 points 1 year ago (1 children)

Because it provides no advantage. TLS is used to secure any data sent to a server. If you don't trust the server with your password, then you should use a unique password for this website. In fact, you should always use a unique password.

https://www.cloudflare.com/en-ca/learning/ssl/transport-layer-security-tls/

Passwords sent as plaintext? in c/infosecpub@infosec.pub
[–] vedard@infosec.pub 4 points 1 year ago (6 children)

Passwords are always sent to the server, then it is hashed to check it against the value in the database. It's also possible to view your password by inspecting login requests from other websites. TLS is used to secure it while in transit.

Hashing is done as an extra measure of security in case the database is compromised. This measure of security would have been completely void if the server would accept password hash directly. You could log in as any user by using his compromised hash.