vedard

joined 1 year ago
 

In this article, I explain how AES encryption works and how the algorithm is implemented.

[–] vedard@infosec.pub 6 points 1 year ago

It was quite nostalgic to do the research while writing this article!

[–] vedard@infosec.pub 3 points 1 year ago (1 children)

You are describing TLS, which is commonly used for websites and web apps.

Try the following command:

openssl s_client -connect infosec.pub:443

The public key, the authority that signed the certificate, and the cypher used will all be visible.

For me, the cipher used is ECDHE-RSA-AES256-GCM-SHA384.

[–] vedard@infosec.pub 4 points 1 year ago (1 children)

Because it provides no advantage. TLS is used to secure any data sent to a server. If you don't trust the server with your password, then you should use a unique password for this website. In fact, you should always use a unique password.

https://www.cloudflare.com/en-ca/learning/ssl/transport-layer-security-tls/

[–] vedard@infosec.pub 3 points 1 year ago (6 children)

Passwords are always sent to the server, then it is hashed to check it against the value in the database. It's also possible to view your password by inspecting login requests from other websites. TLS is used to secure it while in transit.

Hashing is done as an extra measure of security in case the database is compromised. This measure of security would have been completely void if the server would accept password hash directly. You could log in as any user by using his compromised hash.