Show HN: Password-protect a static HTML page

348 点作者 yoble将近 8 年前

35 条评论

roywiggins将近 8 年前

In highschool I realized that my school's grading system was using a javascript scheme to control access to grades online:1. Concatenate the username and password, hash the combination2. Name the HTML file with the grades using that hash3. When the user logs in, calculate the hash in Javascript and redirect to that HTML page.In theory, you can only work out the URL of the page if you have the username and password in hand. I'm sure it was pretty trivially bruteforcable, but aside from that it seemed sort of okay.Until I realized that directory listings were turned on, and the directory that had all the HTML files sometimes had no index.html, thereby rendering the entire obfuscation scheme moot.(n.b. I was too ethical to use this to peek at anyone's grades! I did try to report it but it was never clear to whom to report it to, and since every teacher generated these files using their own copy of the program, there was no obvious central place to report this to. A couple of years later online grades were centralized into a different system)

评论 #14556385 未加载

评论 #14555230 未加载

评论 #14556470 未加载

评论 #14554615 未加载

评论 #14554591 未加载

评论 #14557364 未加载

评论 #14558253 未加载

评论 #14556608 未加载

评论 #14568106 未加载

fredsted将近 8 年前

Encrypted page includes javascript from 2 CDNs, one for jQuery and one for "crypto-js". The jQuery one has an integrity hash, but "crypto-js" does not. Granted, they both use HTTPS...Doesn't seem very secure to include external JS on an encrypted page.Why not include those things inline?And why does it need jQuery for a simple 1-input form field that decrypts a string?!

评论 #14554477 未加载

评论 #14554491 未加载

评论 #14554785 未加载

评论 #14554693 未加载

评论 #14555831 未加载

jszymborski将近 8 年前

I remember in ~2005-2009 while I was in high school, javascript password-protection was my main interest, since I only had access to free hosts that hosted static files.Most of them just focused on obfuscating the password in the source (most by encoding, the fancy ones through some opaque evals), but I came across one during that time that claimed to use AES and even had a not-insignificant cash prize for defeating it.I really wish I could find that site... would be fun to give a shot at cracking it given what I know now.Anywho, in my search for that site, I found a pretty good tutorial considering it's age (1997!) on implementing DES in javascript to achieve something similar[0].[0] <a href="https://www.javacrypt.com/Course/" rel="nofollow">https://www.javacrypt.com/Course/</a>

devy将近 8 年前

I remember 3-4 years ago when I was working with a major wall street financial company to integrate with their credit card processing gateway, some of the private and sensitive information (contracts, testing reports etc.) had already been communicated with a similar but proprietary AES 256 based encryption on a static HTML page via email attachments as a way of secure communication. The intended recipients would get an invite to their site to register/login to get the passphrase to unlock the encrypted static HTML doc. This could have been the standard practices in many financial firms theses days (when they are not using PGP/GPG encrypted emails)Edit: redacted the name of company.

评论 #14554126 未加载

syphilis2将近 8 年前

It does not seem to work for me on multiple machines. I just get an incomplete HTML file that ends abruptly after the "border-top" CSS line. There is no closing semicolon to the line, the file just ends in the middle of the style element.My input doesn't seem to matter, but I used:<html><body>Hello</body></html>Password: abcdefg

评论 #14555544 未加载

评论 #14556051 未加载

评论 #14555305 未加载

评论 #14555738 未加载

viggity将近 8 年前

I remember very distinctly about 15 years ago there was a site that had a "members only" page that had some reports that I really wanted (names/addresses/emails of the members of the org - I wanted a quick and easy lead list for a product I wanted to sell to them). I could see through a simple view source (remember, no chrome dev tools back then) that it wasn't some server side check of the password (the members knew it, there was no associated username).They had found some library that would take a password and a desired output and would generate some super crazy javascript looping/shifting/replacement algorithm that would generate the name of the html page that had the desired content. The report was available openly to the internet, but there were no links to it, just through this algorithm.I spent about 4-5 hours slowly but surely reverse engineering the algorithm so I could figure out what the page name was. There was an immense sense of satisfaction that came with being able to look at those reports.

评论 #14556150 未加载

shams93将近 8 年前

Back in the day we used to use Apache basic authentication for this, that was before single page apps. Not you do have jwt that is explicitly designed to handle things like offline progressive web app logins.

评论 #14555867 未加载

StavrosK将近 8 年前

Oooh, this is pretty cool. All that it needs is a cli utility so I can plug it in my scripts, and I can just tell my static site generator to encrypt specific pages while building.

评论 #14556257 未加载

finchisko将近 8 年前

Thank you for inspiration. I've created nodejs module to encrypt files. Now wondering if we can make webpack bundle-loader that will load encrypted chunks. How cool would be that? What u guys think?

renhoeknl将近 8 年前

I did something like this some time ago, to send reports securely to people who'd never heard of PGP.What I like about my implementation is that it has a tamper proof clear text message included with the encrypted payload. And everything (images and JS) is inline, so nothing external needed.<a href="http://ivo.palli.nl/encryption/encryption2.html" rel="nofollow">http://ivo.palli.nl/encryption/encryption2.html</a>

bandrami将近 8 年前

If only the web server software could do this for you...

评论 #14559100 未加载

examancer将近 8 年前

Simple and useful. The perfect "Show HN".

评论 #14558404 未加载

112233将近 8 年前

A feeling of saying "what is this familiar thing":<a href="http://www.acme.com/software/securepage/" rel="nofollow">http://www.acme.com/software/securepage/</a>(2010 or earlier, basically does similar trick, from the authors of thttpd, mini_httpd and micro_httpd!)

评论 #14567906 未加载

calebm将近 8 年前

I wrote a little web app very similar to this last year: <a href="https://hypervault.github.io/" rel="nofollow">https://hypervault.github.io/</a>. The difference is mine was mostly focused on file encryption.

评论 #14556291 未加载

jopsen将近 8 年前

That's a fun toy.. and a great example of how easy it is to get crypto wrong. I'm just guessing here, but you are probably missing some key derivation like PBKDF2.Edit: For this something like tweetnacl is probably more foolproof, checkout: <a href="https://github.com/dchest/tweetnacl-js" rel="nofollow">https://github.com/dchest/tweetnacl-js</a>Or libsodium which can also be compiled to pure js: <a href="https://github.com/jedisct1/libsodium.js" rel="nofollow">https://github.com/jedisct1/libsodium.js</a>

评论 #14555870 未加载

评论 #14557381 未加载

johnhenry将近 8 年前

Reminds me of this: <a href="https://news.ycombinator.com/item?id=10901745" rel="nofollow">https://news.ycombinator.com/item?id=10901745</a>Similar, but uses files instead of HTML text.

tspike将近 8 年前

Interesting. What is the use case for this versus HTTP basic auth?

评论 #14554930 未加载

评论 #14554303 未加载

评论 #14554305 未加载

评论 #14554290 未加载

评论 #14555994 未加载

评论 #14554496 未加载

nealrs将近 8 年前

Pretty pretty neat. I built [something pretty similar](<a href="https://devpost.com/software/cryptopostal" rel="nofollow">https://devpost.com/software/cryptopostal</a>) to give my address to family & friends during the holidays. Includes a node generator to make your own. Enjoy :)[video demo](<a href="https://youtu.be/zevMEiR2CZY" rel="nofollow">https://youtu.be/zevMEiR2CZY</a>)

bluetidepro将近 8 年前

This would be neat if you could build a wrapper of this around GitHub pages. Then you could finally use GitHub pages sites for private content!Also, as a non-security person, just how secure is this? Like is it used more for "eh, I don't really want something to see this, but it's not the end of the world if they do" or more like "yeah, use this for extremely secure content, it's safe."

评论 #14554095 未加载

评论 #14554131 未加载

评论 #14555190 未加载

评论 #14556940 未加载

minhajuddin将近 8 年前

I had built something along these lines. Not really encrypting the page. But allowing you to send each other Base64 data: <a href="http://cloak.websrvr.in/" rel="nofollow">http://cloak.websrvr.in/</a> . I had built it to circumvent enterprise email servers which don't allow sending binaries. Which is kind of ironic because email sends attachments as Base64.

speps将近 8 年前

And no one mentions TiddlyWiki[0]...[0] <a href="http://tiddlywiki.com/" rel="nofollow">http://tiddlywiki.com/</a>

alexbecker将近 8 年前

I did something similar to this for redacting HTML pages a while back, although I never fully polished it: <a href="https://github.com/alexbecker/redact-js" rel="nofollow">https://github.com/alexbecker/redact-js</a>It's not something I'd use for serious security applications, but fun for interactive fiction.

anilgulecha将近 8 年前

This is cool! To really make the overhead tiny, include an inplace implementation of XTEA (under 1KB decryption).XTEA is not a military grade algo (but there's only been a partial attack on reduced rounds). All in all the overhead can come in under 2KB in all.

chiefalchemist将近 8 年前

Not sure, but this might be useful and/or interesting to some HN'ers<a href="https://github.com/ezWebDevTools/ezCryptoJS" rel="nofollow">https://github.com/ezWebDevTools/ezCryptoJS</a>

conmarap将近 8 年前

It's pretty cool. I entertain the idea of doing this and hadn't thought of it ever, but how do you see it being used if I can't use it with a python/node.js API to deploy pages on the fly?

sleepychu将近 8 年前

Rubber hose encryption would be a neat add here!

评论 #14554353 未加载

ConfucianNardin将近 8 年前

This is essentially what encrypted pastebins do (but they usually put the key/password in the URL hash).

Steeeve将近 8 年前

That is awesome!I would love to see it worked out in a way that it would output different content depending on password.

amenghra将近 8 年前

In 2017, one ought to use browsers' native crypto API instead of doing crypto in js...

评论 #14557839 未加载

评论 #14557010 未加载

skdotdan将近 8 年前

Seems very cool, but I don't see the use-case. Anyone can help me?

评论 #14555676 未加载

romanovcode将近 8 年前

For some reason it doesn't work with password 123

评论 #14554873 未加载

ezekg将近 8 年前

Now make a WP plugin and you're set!

评论 #14554083 未加载

Animats将近 8 年前

There's basic authentication for protecting static web pages. It's no better or worse than any other password scheme.

cdevs将近 8 年前

I could see some other nifty concept coming alive because of this.

snakeanus将近 8 年前

From the source code I was unable to deduce what KDF and Block mode is used with it. Does anybody know what does it use? crypto-js seems to support multiple different KDFs and Block modes.

评论 #14556433 未加载