DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
plugin:securelogin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
plugin:securelogin [2018-02-17 10:15] – bump version mattfiddlesplugin:securelogin [2023-10-30 23:29] (current) Klap-in
Line 2: Line 2:
  
 ---- plugin ---- ---- plugin ----
-description: This plugin let you login securely without HTTPS+description: Not Maintained. This plugin encrypts submitted passwords, giving you and your users an extra layer of security
-author     : Mikhail I. Izmestev, Matt Bagley +author     : Mikhail I. Izmestev
-email      : securelogin@mattfiddles.com+
 type       : admin, action type       : admin, action
-lastupdate : 2018-02-17 +lastupdate : 2020-05-27 
-compatible : 2009-03-12+, rincewindangua, Adora Belle, Weatherwax, Binky, Ponder Stibbons, Hrun, Detritus, Elenor Of Tsort, Frusterick Manners+compatible : RincewindAngua, Adora Belle, Weatherwax, Binky, Ponder Stibbons, Hrun, Detritus, Elenor of Tsort, Frusterick Manners, Greebo
 depends    :  depends    : 
 conflicts  conflicts 
Line 13: Line 12:
 tags       : authentication, security, javascript tags       : authentication, security, javascript
  
-downloadurl: https://github.com/bagley/dokuwiki-securelogin/tarball/master +downloadurl: https://github.com/dokuwiki-securelogin-archive/dokuwiki-securelogin/tarball/master 
-bugtracker : https://github.com/bagley/dokuwiki-securelogin/issues +bugtracker 
-sourcerepo : https://github.com/bagley/dokuwiki-securelogin/+sourcerepo : https://github.com/dokuwiki-securelogin-archive/dokuwiki-securelogin/
 donationurl:  donationurl: 
 ---- ----
Line 21: Line 20:
 ===== Description ===== ===== Description =====
  
-This plugin uses [[http://www-cs-students.stanford.edu/~tjw/jsbn/|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the password with the servers public key. The passwords are sent encrypted over HTTP. No need for HTTPS. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encrypting. Therefore, replay attacks don't work.+**Not Maintained**
  
-When securelogin is used, there is always a //use securelogin// checkbox near the password fieldIf the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWikiIn this case thoughthe user //should// notice the absence of the checkbox.+This plugin uses [[http://www-cs-students.stanford.edu/~tjw/jsbn/|Tom Wu's implementation of RSA algorithm in JavaScript]] on the client to encrypt the login password with the server's public keyThe encrypted password is then sent to the server where it can be decrypted. Man-in-the-middle attacks are prevented by using a variable token (salt) added to the password before encryptingThereforereplay attacks don't work.
  
-----+When securelogin is used, there is always a "use securelogin" checkbox near the password field. If the browser has no JavaScript or JavaScript is disabled, then obviously, the passwords are sent in clear text, as they are by default with DokuWiki. In this case though, the user //should// notice the absence of the checkbox.
  
 Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the //login//, //profile// or //admin// page. Also, whenever a password has to be entered, it is automagically encrypted by this plugin, be it on the //login//, //profile// or //admin// page.
  
-securelogin version 20091206 and + is compatible with the [[:plugin:showlogin|showlogin]] plugin.+In short, it takes your password:
  
 +<code>
 +p:MySecretPa$$word
 +</code>
  
-===== Download and Installation =====+And instead has the login/profile/admin page submit the password as:
  
-  - Download and install the plugin using the [[plugin:plugin|Plugin Manager]], please use the download link given aboveRefer to [[:Plugins]] on how to install plugins manually+<code> 
-  - Go the admin pages and select //securelogin//Then click on the ''generate-new-key'' button. +securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTN.... 
-  - You're done. From then on, all passwords are encrypted before being sent.+</code> 
 + 
 +==== Not Maintained ==== 
 + 
 +While it still works with the listed versions, it's **not actively maintained**. Sometimes people help out here or in the forums, but be aware that no one is maintaining it. Adopters welcome. 
 + 
 +Attacks against RSA have become easier. This plugin uses RSA and needs to be rewritten to use a different library/encryption mechanism. As it is, it may be vulnerable to certain targeted man-in-the-middle attacks. Though it appears that those attacks may still be fairly expensive against a regular wiki site. If in doubt, see the next section. 
 + 
 +==== Use HTTPS, CORS, etc ==== 
 + 
 +This plugin was made when HTTPS was pricey (for a wiki), but we still wanted as much security as we could get. Now that one can easily have HTTPS, CORS, [[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity|Subresource Integrity]], etc, it's not as relevant. Consider it as just a possible extra layer of security. Your first priority should always be a good server setup with the latest in securityI've left this here for those that want it. 
 + 
 +Because good security is like a onion. You want a lot of layers in order keep things protected even *when* some layers fail. 
 + 
 +==== Issue with CAPTCHA Plugin Login ==== 
 + 
 +If the [[plugin:captcha|CAPTCHA plugin]] is enabled on the login page with this plugin, the CAPTCHA will not be processed. ie, the user can enter whatever for the CAPTCHA prompt and the login will be processed like normal. So Bots can attempt to login and ignore the CAPTCHA. 
 + 
 +A wrong password will still fail. And Securelogin will still encrypt the password. The login will just act as if CAPTCHA is not installed. The CAPTCHA plugin should still work elsewhere on the site. 
 + 
 +===== Installation and Setup ===== 
 + 
 +  - Search for and install the plugin using the [[[plugin:extension|Extension Manager]]
 +  - Once installed, go the Admin page and select "Secure login configuration". 
 +  Under "Generate new key pair", click the "Generate" button. 
 +  - Click the "Test" button to verify your setup. If all is working, a bubble will appear containing whatever was in the "Test Message" box. 
 + 
 +You're done. From then on, all passwords are encrypted before being sent. 
 + 
 +To manually install the plugin, please see the [[:plugin_installation_instructions|Plugin Installation Instructions]]. Then follow the last three steps above. 
 + 
 +===== How it works ===== 
 + 
 +Normally when you submit your 'MySecretPa$$word', you will see it in the data transfer (using wireshark, tcpdump, developer tools, etc): 
 + 
 +<code> 
 +id:start 
 +do:login 
 +u:MyUser 
 +p:MySecretPa$$word 
 +</code> 
 + 
 +You can easily see the 'MySecretPa$$word' in the above example. 
 + 
 +But when you use this plugin, it will encrypt the password, which can only be decrypted on the server. 
 + 
 +<code> 
 +id:start 
 +do:login 
 +u:MyUser 
 +p:****** 
 +use_securelogin:
 +securelogin:M66YMHFzjl9qXa96zr2JzDWlV3WTE+4mOgJZNNr3yW9xPzSORtSIjp+ZNczopNUp5N0M0ASiqutgf1nio+iTNj3pS24kHD1LZb6GcG7cFvpr/uzfxJsO8jAbFD6/ZkB0xy9vBMabn3BYP7GWLrTR3b/7zNdla/FdqjX9U48dHMrcO2/ZFJKLsdzt84/bC+3xoV7/qC/BZO5AbQ37SvLEC7DaMTMtbSqlF573Y0iOMb3wYe1rj2m/HQiBM8ro25OBfnUxmgJFMVVkfkLdNUepRjUeeJSXF+R5XDcO2L4uX9D8AOE8nSecRn+0gqwz6PzPPqEpv60y0Io1rZXevG+I9Q== 
 +</code> 
 + 
 +The javascript on the page takes the form's password variable `p=MySecretPa$$word`, encrypts it with the provided salt (changed on every page load), and sets the result as `securelogin`. It also replaces `p`'s value with stars so it can't submit the password in the clear.  
 + 
 +When the server receives the data, it sees that `use_securelogin` is set to `1` (true), so it knows the password was encrypted. It will decrypt the `securelogin` variable and separate it from the salt value. From this it gets the `p=MySecretPa$$word` value, which it sets so the Dokuwiki authentication routines have it. Dokuwiki can then compare the passwords like it normally does. 
 + 
 +This same process happens during the add user, modify user, and edit profile options. This is what will be seen if someone views a user changing their password (with this plugin active): 
 + 
 +<code> 
 +do:profile 
 +fullname:MyUser 
 +email:user@example.com 
 +newpass:****** 
 +passchk:****** 
 +oldpass:****** 
 +use_securelogin:
 +securelogin:mCUIwYbHRgNjmAkr1CHssH8g1ZAgGKIxsFsMZUN1XM703V2g4hB5upzfJeVyE/aT9ByOYxQChbhRyJezjD7jO4LKwlgBR/Jnqkr+rUr70MLcoRybM8maTGdAGDM3VweSylqAGOASKb87hKYb0URUFo+yfGaKp572IWCfSZDHLrP1Hrs/f7EYKXozXpMNHA3l/VXNm2wGAwvkvnfFgkRZonrdfdUlLDC0OkBpa3WawMqoYb+1/kcuGsBcAve0Tp+uMQZw8FwHj8SOp9kJLUnEqXrop2pXa3mc9j8NS54CeCbJuJ0qfEhUHIE9/BHUgbmCPQV6XNWttZbRp8r1Q1dG/g== 
 +</code> 
 + 
 +In this case, all three passwords are encrypted into `securelogin`, and the post values replaced with stars. 
 + 
 +===== Changlog ===== 
 +  * **20200527** 
 +    * Updated url to archived location of repo. 
 + 
 +  * * **20200418** 
 +    * Quoted array keys for php 7.2
  
-===== Changes ===== 
   * **20180217** Thanks to [[https://github.com/jaller94|Christian Paul]] for reporting   * **20180217** Thanks to [[https://github.com/jaller94|Christian Paul]] for reporting
     * Fixed issue where second password was not encrypted on add/modify users     * Fixed issue where second password was not encrypted on add/modify users
Line 49: Line 129:
     * Improved coding style and added license header in source files     * Improved coding style and added license header in source files
  
-  * **20140923** Thanks to Hideaki Sawada+  * **20140923** Thanks to [[https://github.com/sawachan|Hideaki SAWADA]]
     * Japanese language files added     * Japanese language files added
  
   * **20140417**   * **20140417**
-    * Changed download link per [[izmmishao5@gmail.com|Mikhail I. Izmestev's]] [[https://github.com/izmmisha/dokuwiki-securelogin/pull/1|request]]+    * Changed download link per Mikhail I. Izmestev's [[https://github.com/izmmisha/dokuwiki-securelogin/pull/1|request]]
     * Updates to plugin info in admin page, like the website link and more unified info.     * Updates to plugin info in admin page, like the website link and more unified info.
  
Line 68: Line 148:
     * added plugin.info.txt     * added plugin.info.txt
  
-  * **20101101** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]]+  * **20101101** Thanks to Christophe Martin
     * fix bug with some chars in passwords     * fix bug with some chars in passwords
  
Line 74: Line 154:
     * add support of usermanager plugin     * add support of usermanager plugin
  
-  * **20091206** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]]+  * **20091206** Thanks to Christophe Martin
     * fix unclosed %%<div id="secure__login">%%     * fix unclosed %%<div id="secure__login">%%
     * add showlogin compat     * add showlogin compat
  
-  * **20090901** Thanks to [[hanaj1@fel.cvut.cz|Jan Hána]]+  * **20090901** Thanks to Jan Hána
     * add Czech translation     * add Czech translation
  
-  * **20090802** Thanks to [[Christophe.Martin@gmx.com|Christophe Martin]]+  * **20090802** Thanks to Christophe Martin
     * fix problem with URL-rewrite DokuWiki method     * fix problem with URL-rewrite DokuWiki method
     * add French translation     * add French translation
- 
-For support for these older versions (if you really need outdated software) use https://github.com/bagley/dokuwiki-securelogin/archive/c1f0a0e018cedfd29a48ab157098efe480e37049.zip 
-  * 2014-05-05 "Ponder Stibbons" 
-  * 2013-12-08 "Binky" 
-  * 2013-05-10a Weatherwax 
-  * 2012-10-13 Adora Belle 
  
 ===== Comments ===== ===== Comments =====
plugin/securelogin.1518858930.txt.gz · Last modified: 2018-02-17 10:15 by mattfiddles
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links