Hacker News new | comments | show | ask | jobs | submit login

As a rule most security advice on stack overflow is dangerously wrong. It's just not a good topic for the site, because consensus if often wrong in such complicated question.

I don't see anything obviously wrong with this particular article (aside from challenge response or SSL choice - one should just always use SSL, and if you can't, then seek professional advice), however I am still apprehensive of the hive mind.

There was some information in there about SRP being patented that I thought was misleading. It is patented, but it's freely licensed.

The main problem with SRP being mentioned at all is that it has no meaningful security value in web application context. It makes sense when client does not entirely trust server, which makes no sense when you deliver client as bunch of .js files from the same "untrusted" server.

Very true, however, most users are willing to download such things as native programs (e.g. installing web browsers) from unauthenticated sources over unencrypted connections. If you are in a position to inject .js resources, then the user's security would be compromised anyway.

EDIT: SRP is going to be integrated into TLS soon anyway, so we might as well hold our breath for that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact