tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Thu, 06 Feb 2014 03:14:43 GMT

--- Comment #20 from Gabriel <> ---
(In reply to Gabriel from comment #19)
> Hashing on the client side has its merits as long as you also hash on the
> server side and you don't use the same salt on the client as you do on the
> server.  In particular, if your client code fetches the salt corresponding
> to a username, that lets an attacker know if they have a valid username (if
> they receive a salt from the server to do hashing on the client side).  If
> you use a random salt generated for a client session or even a constant
> client-side salt, it is best to also hash on the server side with an
> independent user-specific hash.  
Oops... random salt generated for a client session wouldn't work, would it?  It
would either have to be constant or user specific.  I suppose constant is best
on the client side.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message