Comments (10)
from secretchat.site.
This is redundant and pointless. Sha1 is broken and has been for some time. Use sha256 if you plan on basing your room name privacy model around hashes. Also, consider salting them or setting the HMAC with a password users need to know for entry instead.
Example:
Channel name: I_love_elephants
HMAC: anyonehereisallowed
Link becomes: https://secretchat.site/room/33aa9dcfc7beaded440572febdbe793123991cd85529120a9bdb31388f2b7547
from secretchat.site.
from secretchat.site.
The link example was based on an implementation having used sha256 with an HMAC. Since your site doesn't, of course the link doesn't work.
from secretchat.site.
from secretchat.site.
There are multiple issues with your approach.
You are giving a sha1 hash of the room which anyone paying attention to the connection could attempt to bruteforce.
You're also not even adding a random salt to the room sha1.
You shouldn't be using sha1 ( https://www.schneier.com/blog/archives/2005/02/sha1_broken.html ) - THIS DATES BACK TO 2005. IT'S BEEN BROKEN FOR MORE THAN A DECADE!
Take a look at https://passlib.readthedocs.io/en/stable/ and https://docs.python.org/2/library/hashlib.html
OTR encrypted chats, and Signal have Perfect Forward Secrecy. Thus both would be much better than your site.
from secretchat.site.
from secretchat.site.
Sir, not to kick you down, but the fact I was able to access a 'secret' conversation by entering the 'elephant' room without needing any programming experience shows the level of security that this site uses.
Anyone can take a SHA1 hash and reverse it without being told the name.
This URL does just that, https://hashkiller.co.uk/sha1-decrypter.aspx <------------- "Tested elephant"
The fact that this hash (which is just the name of the room anyways) is used to 'encrypt' anything is scary. How is this secure if a script kiddie can get access so easily?
Saying that "Most people don't understand PGP.." does not make your software any more secure. Nor does it debunk any thesis that your software is insecure.
Pidign, Hexchat, etc are clients that take care of GPG,PGP, etc for you so you don't need to understand them anyways.
It doesn't require advanced technical skills to use Signal or OTR. Seriously
And no, "a simple phone call" is not going to fix the problem.
If someone were experienced with multiple languages, such as JavaScript, Java, Python, PHP, etc.
I would have no doubt that they would be able to create havoc or serious damage.
Please take time to research more into the security aspect of something if you are serious about 'security'.
from secretchat.site.
So you used a weak key and are surprised that you can find a matching hash.
Anyway, I already said sha256 sounds like a good idea, as well as salts.
Patches welcome, or you can continue throwing stones if that is all you want to do.
from secretchat.site.
Commit f867ab8 resolves this issue.
from secretchat.site.
Related Issues (7)
- PHP code is off HOT 4
- No Cloudflare? HOT 6
- Errors are inconsistent HOT 5
- Use of cryptographically insecure PRNG HOT 1
- Remove Google analytics HOT 2
- Remove third party CDN libraries and dependencies HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secretchat.site.