slash dev slash null

stuff about puters

Tag: SRP6a

Thinbus PHP is now on Packagist providing zero-knowledge password-proofs

I finally got around to releasing Thinbus PHP onto Packagist. The PHP demo app is also released there to show how to use the library. The JavaScript at that repo allows a browser to register and login to the PHP server. It is shared with the Thinbus Java version. Next up will be a demo app for the Thibus Node version. Now there are fewer excuses for transmitting a password to the server to be checked.

The Secure Remote Password Protocol

The recent Heartbleed debacle had me remember a project a decade ago where the version of weblogic was upgraded but the script failed to deploy the matching version of the apache plugin. Fortunately we contracted a pen test firm who threw a load of custom perl script attacks at the site before we let the public in. They found that the error responses being thrown back to the attack scripts were just like Heartbleed; raw chunks of memory containing whatever was passing through the web server after having been decrypted. Read the rest of this entry »