DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:securelogin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugin:securelogin [2014-09-24 09:01]
mattfiddles Japanese language files update
plugin:securelogin [2018-05-28 21:45] (current)
Klap-in [Download and Installation]
Line 1: Line 1:
-====== ​securelogin plugin ​======+====== ​SecureLogin Plugin ​======
  
 ---- plugin ---- ---- plugin ----
-description:​ This plugin ​let you login securely without HTTPS.+description:​ This plugin ​encrypts submitted passwords, giving ​you and your users an extra layer of security.
 author ​    : Mikhail I. Izmestev, Matt Bagley author ​    : Mikhail I. Izmestev, Matt Bagley
 email      : securelogin@mattfiddles.com email      : securelogin@mattfiddles.com
 type       : admin, action type       : admin, action
-lastupdate : 2014-09-23 +lastupdate : 2018-02-17 
-compatible : 2009-03-12+,​ rincewind, angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons+compatible : 2009-03-12+,​ rincewind, angua, Adora Belle, Weatherwax, Binky, Ponder Stibbons, Hrun, Detritus, Elenor Of Tsort, Frusterick Manners
 depends ​   :  depends ​   : 
 conflicts ​ :  conflicts ​ : 
Line 21: Line 21:
 ===== Description ===== ===== Description =====
  
-This plugin uses [[http://​www-cs-students.stanford.edu/​~tjw/​jsbn/​|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the password with the servers ​public key. The passwords are sent encrypted ​over HTTP. No need for HTTPS. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encrypting. Therefore, replay attacks don't work.+This plugin uses [[http://​www-cs-students.stanford.edu/​~tjw/​jsbn/​|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the login password with the server'​s ​public key. The encrypted ​password is then sent to the server where it can be decrypted. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encrypting. Therefore, replay attacks don't work.
  
-//The download location has changed to https://​github.com/​bagley/​dokuwiki-securelogin/​tarball/master For it to work on WeatherwaxBinkyor Ponder Stibbons you need at least version 2014-04-17.//+When securelogin is used, there is always a //use securelogin// ​checkbox near the password field. If the browser has no JavaScript or JavaScript is disabledthen obviouslythe passwords are sent in clear text, as they are by default with DokuWikiIn this case though, the user //should// notice the absence of the checkbox.
  
-With version 20091213 and + , whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the +----
-//login//, //profile// or //admin// page.+
  
-securelogin version 20091206 and + is compatible with the [[:​plugin:​showlogin|showlogin]] plugin. +Alsowhenever ​a password has to be entered, it is automagically encrypted ​by this pluginbe it on the //login//, //profile// or //admin// page.
- +
-When securelogin is usedthere is always ​//use securelogin//​ checkbox near the password ​field. If the browser ​has no JavaScript or JavaScript ​is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWiki. In this case though, the user will notice the absence of the checkbox.+
  
 +securelogin version 20091206 and + is compatible with the [[:​plugin:​showlogin|showlogin]] plugin.
  
 ===== Download and Installation ===== ===== Download and Installation =====
  
-  - Download ​and install the plugin using the [[plugin:plugin|Plugin ​Manager]], please use the download link given above. Refer to [[:​Plugins]] on how to install plugins manually.+  - Search ​and install the plugin using the [[plugin:extension|Extension ​Manager]]. Refer to [[:​Plugins]] on how to install plugins manually. For manual installation,​ please refer to [[:​Plugins]].
   - Go the admin pages and select //​securelogin//​. Then click on the ''​generate-new-key''​ button.   - Go the admin pages and select //​securelogin//​. Then click on the ''​generate-new-key''​ button.
   - You're done. From then on, all passwords are encrypted before being sent.   - You're done. From then on, all passwords are encrypted before being sent.
 +
 +===== How it works =====
 +
 +Normally when you submit your '​MySecretPa$$word',​ you will see it in the data transfer (using wireshark, tcpdump, developer tools, etc):
 +
 +<​code>​
 +id:start
 +do:login
 +u:MyUser
 +p:​MySecretPa$$word
 +</​code>​
 +
 +You can easily see the '​MySecretPa$$word'​ in the above example.
 +
 +But when you use this plugin, it will encrypt the password, which can only be decrypted on the server.
 +
 +<​code>​
 +id:start
 +do:login
 +u:MyUser
 +p:******
 +use_securelogin:​1
 +securelogin:​M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/​uzfxJsO8jAbFD6/​ZkB0xy9vBMabn3BYP7GWLrTR3b/​7zNdla/​FdqjX9U48dHMrcO2/​ZFJKLsdzt84/​bC+3xoV7/​qC/​BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/​HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q==
 +</​code>​
 +
 +The javascript on the page takes the form's password variable `p=MySecretPa$$word`,​ encrypts it with the provided salt (changed on every page load), and sets the result as `securelogin`. It also replaces `p`'s value with stars so it can't submit the password in the clear. ​
 +
 +When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does.
 +
 +This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active):
 +
 +<​code>​
 +do:profile
 +fullname:​MyUser
 +email:​user@example.com
 +newpass:​******
 +passchk:​******
 +oldpass:​******
 +use_securelogin:​1
 +securelogin:​mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/​aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/​Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/​f7EYKXozXpMNHA3l/​VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/​kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/​BHUgbmCPQV6XNWttZbRp8r1Q1dG/​g==
 +</​code>​
 +
 +In this case, all three passwords are encrypted into `securelogin`,​ and the post values replaced with stars.
  
 ===== Changes ===== ===== Changes =====
 +  * **20180217** Thanks to [[https://​github.com/​jaller94|Christian Paul]] for reporting
 +    * Fixed issue where second password was not encrypted on add/modify users
 + 
 +  * **20150928** Thanks to Satoshi Sahara
 +    * compatible with DokuWiki 2015-08-10 "​Detritus"​
 +    * replace deprecated split() function call
 +    * prevent PHP error output
 +    * use PHP5 constructor method for classes
 +    * Improved coding style and added license header in source files
 +
   * **20140923** Thanks to Hideaki Sawada   * **20140923** Thanks to Hideaki Sawada
     * Japanese language files added     * Japanese language files added
  
   * **20140417**   * **20140417**
-    * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev'​s]] [[http://​github.com/​izmmisha/​dokuwiki-securelogin/​pull/​1|request]]+    * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev'​s]] [[https://​github.com/​izmmisha/​dokuwiki-securelogin/​pull/​1|request]]
     * Updates to plugin info in admin page, like the website link and more unified info.     * Updates to plugin info in admin page, like the website link and more unified info.
  
Line 75: Line 126:
     * fix problem with URL-rewrite DokuWiki method     * fix problem with URL-rewrite DokuWiki method
     * add French translation     * add French translation
 +
 +For support for these older versions (if you really need outdated software) use https://​github.com/​bagley/​dokuwiki-securelogin/​archive/​c1f0a0e018cedfd29a48ab157098efe480e37049.zip
 +  * 2014-05-05 "​Ponder Stibbons"​
 +  * 2013-12-08 "​Binky"​
 +  * 2013-05-10a Weatherwax
 +  * 2012-10-13 Adora Belle
  
 ===== Comments ===== ===== Comments =====
plugin/securelogin.1411542061.txt.gz · Last modified: 2014-09-24 09:01 by mattfiddles