Skip to main content

Ralsina.Me — Roberto Alsina's website

The Password Is Password (follow the link to see what I mean)

2013-03-26 12:34

I think this is a first in the world of stat­ic site gen­er­a­tors :-)

Now Niko­la sup­ports pass­word-pro­tect­ed pages. How does it work?

If you add a pass­word meta­da­ta field, then it will "Just Work". Like this:

I think this is a first in the world of stat­ic site gen­er­a­tors :-) And the re­sult is what you are see­ing now.

How is it im­ple­ment­ed? Niko­la will en­crypt the con­tent us­ing RC4, then wrap it in a <di­v>, and tack a form at the end that trig­gers Javascript code to de­crypt it, and show it.

Is it se­cure? Well, I am not a cryp­tog­ra­pher, so as­sume no. Specif­i­cal­ly, while RC4 is con­sid­ered se­cure, I am not dis­card­ing the be­gin­ning of they keystream, and the im­ple­men­ta­tions I am us­ing are not au­dit­ed.

So, don't use this for any­thing that could get you in trou­ble. Have fun!

UP­DATE Re­mem­ber when I asked "Is it se­cure?" well, re­al­ly, no it's not. It's not stupid in the sense that de­cod­ing what's writ­ten in the post will re­quire at least a mod­icum of ef­fort by who­ev­er is so in­ter­est­ed in read­ing what you are post­ing in your site, but peo­ple with cryp­to chops will crack it like a WEP-se­cured AP, mm­mmkay? It's al­so stupid­ly easy to brute­force this, so be smart about pass­word­s.

OTO­H, it's more se­cure than HTTP sim­ple au­th, since you can't sniff it (not that sim­ple auth is se­cure) and it can hide a piece of the page, which us­ing server-based auth can't.

I may do a more se­cure ver­sion even­tu­al­ly, but this is not it. There­fore, use for fun stuff, not to hide im­por­tan­t/il­le­gal stuff.

Chris Warrick / 2013-03-26 16:44:

It would be great to have <input type="password"> and a button to get to the contents.

Roberto Alsina / 2013-03-26 16:45:

Good idea about it being of type password :-)

I had a button but it looked like garbage, so I removed it.

Chris Warrick / 2013-03-26 16:48:

Like garbage? What do you mean? Bootstrap has very nice and pretty buttons. Do you mean the button being lower than the inputbox? It’s fixable, see the docs.

PS. I would love to see an ability to retry without refreshing. Double post brought to you by DISQUS going apeshit.

Roberto Alsina / 2013-03-26 16:50:

Yes, the misalignment. I'll try reading the docs (boring! ;-)

It's just a matter of not hiding the form's div, but then it will be visible even if you decrypt successfully.

Chris Warrick / 2013-03-26 16:53:

…or just throw a “Retry” button somewhere. Solution for the alignment problem is here: http://twitter.github.com/b... ← either “Buttons instead of text” or “Inline form”.

Roberto Alsina / 2013-03-26 17:13:

How about now?

Chris Warrick / 2013-03-26 17:24:

pretty. now, if you added a “wrong password” alert, it would be even better.

Roberto Alsina / 2013-03-26 17:29:

Your wish is my command. Done!

Chris Warrick / 2013-03-26 17:30:

Oh. I meant a Bootstrap alert. Doesn’t matter, but I learned that JS alerts are broken in the last of Chrome dev for Windows.

Guest / 2013-03-26 16:45:

1. <input type="password">, please.
2. A button would be nice.
3. Same goes for an ability to retry without refreshing.

Roberto Alsina / 2013-03-26 16:49:

Changed it to type password right now :-)

Yes, a button would be nice, I just suck at HTML and it looked bad.

About that... it's tricky because rc4 decryption always succeeds, so to do that I would have to leave the form visible even if it succeeds, so it's a tradeoff.

Roberto Alsina / 2013-03-26 17:14:

What do you think of how it looks now?