Skip to main content

Ralsina.Me — Roberto Alsina's website

The Password Is Password (follow the link to see what I mean)

I think this is a first in the world of stat­ic site gen­er­a­tors :-)

Now Niko­la sup­ports pass­word-pro­tect­ed pages. How does it work?

If you add a pass­word meta­da­ta field, then it will "Just Work". Like this:

I think this is a first in the world of stat­ic site gen­er­a­tors :-) And the re­sult is what you are see­ing now.

How is it im­ple­ment­ed? Niko­la will en­crypt the con­tent us­ing RC4, then wrap it in a <di­v>, and tack a form at the end that trig­gers Javascript code to de­crypt it, and show it.

Is it se­cure? Well, I am not a cryp­tog­ra­pher, so as­sume no. Specif­i­cal­ly, while RC4 is con­sid­ered se­cure, I am not dis­card­ing the be­gin­ning of they keystream, and the im­ple­men­ta­tions I am us­ing are not au­dit­ed.

So, don't use this for any­thing that could get you in trou­ble. Have fun!

UP­DATE Re­mem­ber when I asked "Is it se­cure?" well, re­al­ly, no it's not. It's not stupid in the sense that de­cod­ing what's writ­ten in the post will re­quire at least a mod­icum of ef­fort by who­ev­er is so in­ter­est­ed in read­ing what you are post­ing in your site, but peo­ple with cryp­to chops will crack it like a WEP-se­cured AP, mm­mmkay? It's al­so stupid­ly easy to brute­force this, so be smart about pass­word­s.

OTO­H, it's more se­cure than HTTP sim­ple au­th, since you can't sniff it (not that sim­ple auth is se­cure) and it can hide a piece of the page, which us­ing server-based auth can't.

I may do a more se­cure ver­sion even­tu­al­ly, but this is not it. There­fore, use for fun stuff, not to hide im­por­tan­t/il­le­gal stuff.


Comments powered by Disqus