(how can i subcribe to this thread? .. mail me at at_he&hotmail-com please)

I don’t mind constructive criticism and if you mentioned the points in your previous comment then they would be welcome but I found it annoying that all you stated was already mentioned in the article.

Let stop this eh? It’s wasting valuable hacking time Great points and of course this method is no replacement for SSL

You’re right though, I must have missed that line somehow, however the fact that they key is passed in plaintext isn’t the biggest issue; the reason I don’t see this as too valuable is because Javascript encryption only stands up to passive attackers, and its pretty unlikely that an attacker would be able to read, but not modify data.

I understand the worth of raising the bar, etc, but given that the performance benefits associated with using this method as opposed to SSL/TLS probably aren’t too huge.

I’m not too interested in patents or whitepapers; well, not unless they are new and interesting ideas, and this is neither, not that I can really talk, having not posted anything new or interesting in a long while.

And while having everyone agree with you is nice, its better IMO to have those that don’t and are always critical, but not hostile. So I’ll keep posting until my comments stop getting approved (like they did elsewhere).

Yeah good idea, I’ve written a md5 javascript login before but of course you can just intercept the hash. If however a random salt was used each time and then was hashed with the decrypted data then it would be possible to create a pretty secure login system.

Two sites could even communicate with this method to perform a cross site login without SSL. Still I won’t be rushing to implement it on any sites I develop

I’ve seen MD5 hashing in JS for login pages, and they have a practical implication IMO.

One thing has been bothering me lately…Recently you only seem to post negative things on my blog. The article clearly states “I’ve done for a bit of fun really” and “I doubt this technique would ever be used in the real world” but you still insist on repeating that fact, why?

Don’t take security so seriously and realise that some of us aren’t interested in patents or whitepapers and simply want to have fun! I will continue to post my ideas and I suggest the next time you make a comment you look at the context of the post.

Now I’m gonna implement JSSL on my new credit card transaction system, it will be ultra secure…see a joke