Recent Posts
21
Features / Re: New revs
« on April 16th, 02:40 PM by Nao »
[Commit revision 57b05c2]
Author: Nao
Date: Sun, 16 Apr 2017 14:31:50 +0200
Stats: 2 files changed; +0 (insertion), -544 (deletions)

  • I don't think I need a fallback JSON function. Really, I added that because the PHP.net documentation mentioned something about PECL and I thought it needed to be installed, when actually it meant "PHP 5+ or PHP 4 with PECL", and since we don't support PHP 4... (Class-JSON.php, Subs.php)

[Commit revision 8d8f49f]
Author: Nao
Date: Sun, 16 Apr 2017 14:33:51 +0200
Stats: 1 file changed; +6 (insertions), -3 (deletions)

  • Firefox and recent IE require inline SVG to be URL-encoded. (Class-CSS.php)
  • Don't bother inlining SVG images for IE8 and older, because they don't support it... Might as well save some bandwidth here. (Class-CSS.php)
  • There's no need to specify a charset for inline SVG. (Class-CSS.php)
22
On client side, if the browser supports js, the password gets hashed once without any salt and with sha1. If the browser doesn't support js, it doesnt get hashed. The hashed or unhashed password gets send to the server, if it's unhashed/plain, wedge hashes it first. Now it's in any ways hashed once with sha1. Now it gets hashed again with sha1 but this time with the salt connected to this user. If the hash is now the same as in the Database, it's the correct password.
This hashing on the client side was quite cool when you didn't had ssl in all places because you don't send your password in plain. Still if someone can hijack the Session (mitm attack) he/she can readout the hashed password and log in with that again at any time (until you Change your password).
I didn't dig through all the code, so not 100% sure it works exactly like this. Especially this 2x hashing + salting is interesting, it makes all of it a bit harder to crack.
23
The Pub / Re: Question about SHA1/256 (github issue #60)
« on April 15th, 01:53 AM by Farjo »
Thanks for the reply, very interesting. How does Wedge hash on client side?

Perhaps my next question is to the Elkarte crew - why, after you'd looked into it all, did you choose SHA256 over bcript / password_hash() ?

I see that Nao has posted to issue #60 and I will watch with interest.
24
Bug reports / Re: Couple things to look into...
« on April 12th, 12:47 PM by Nao »
Did someone look into the Subs-Login semi-mystery?

I also have a quick note for optimization purposes. Just can't bother to add it to Wedge, but this should probably be in the next database update batch (remember? ;))...

I found out that {db_prefix}thoughts has no index on the id_parent column. It's often used in inner joins, so it should REALLY be there. I don't use thoughts a lot, so it's no biggie, but I can imagine that after a while, it'd have an influence over performance.
25
Bcrypt would be the algorithm i would choose too. But I don't know what i should think of the password_hash() functions. It's always a bit critical if you change the password hashing algorithm. Because in the database you still have the hashes with the old algorithm, so you have to hash it once with the old algorithm to make sure it's the correct password and after that insert/update the hashed password with the new algorithm. It's getting even more complicated because wedge already hashes the password on client side to don't transfer the password in plaintext (which i like). I want to change it, but it's a bit critical and I'm not an expert for this. Therefore I want to do it well planned and with a bit more knowledge as i have in the moment. The thing I worry about with password_hash() is that if you use a database backup from a new php version on an old php version where the password_hash() function would use a different (less secure) algorithm, this would maybe break things. But I only scanned the documentation.
Besides that, it's not super important to change the hashing algorithm now, as we "only" use it for passwords. So if you don't have to fear NSA or something like that, your passwords aren't currently in danger.
26
Features / Re: New revs
« on April 7th, 03:55 PM by Nao »
[Commit revision e850d4a]
Author: Nao
Date: Fri, 07 Apr 2017 15:54:52 +0200
Stats: 1 file changed; +1 (insertion), -1 (deletion)

  • Stats pages would still show a topic title in 50% width even in mobile mode, where 100% was a given. (sections.css)
27
Features / Re: New revs
« on April 7th, 03:52 PM by Nao »
[Commit revision f89d6d6]
Author: Nao
Date: Fri, 07 Apr 2017 15:52:34 +0200
Stats: 1 file changed; +6 (insertions), -1 (deletion)

  • And of course I forgot to check the script.js box... Re-adding the log here.
  • ! Attempting to fix the slight annoyance of seeing orange notifications in the top left corner when they were already viewed in another tab. (script.js)
  • Allow for external URLs in weUrl. Not used in Wedge, but confirmed useful for other purposes. (script.js)
28
Features / Re: New revs
« on April 7th, 03:51 PM by Nao »
[Commit revision 9184d00]
Author: Nao
Date: Fri, 07 Apr 2017 15:51:32 +0200
Stats: 3 files changed; +5 (insertions), -5 (deletions)

  • Attempting to fix the slight annoyance of seeing orange notifications in the top left corner when they were already viewed in another tab. (script.js)
  • Allow for external URLs in weUrl. Not used in Wedge, but confirmed useful for other purposes. (script.js)
  • Updated jQuery from 3.1.1 to 3.2.1. (jquery-*.js, Load.php)
29
The Pub / Question about SHA1/256 (github issue #60)
« on April 7th, 02:19 AM by Farjo »
This issue says that Wedge uses SHA1 and Elkarte SHA256, and suggests switching to bcrypt.

My question is how come you don't use php's password_hash() which currently uses bcrypt but will change over time, presumably to whatever becomes more secure, so one less thing to worry about?

http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
http://php.net/manual/en/function.password-hash.php
30
Plugins / [Plugin] Re: CountLikes
« on April 4th, 08:57 PM by Kian »
Quote from CerealGuy on April 4th, 03:55 PM
@Kian
do you get the error because of the CountLikes Plugin?
Actually, no, I dont have it, wrong topic :oops: