2013-03-26 12:34

The Password Is Password (follow the link to see what I mean)

I think this is a first in the world of static site generators :-)

Now Nikola supports password-protected pages. How does it work?

If you add a password metadata field, then it will "Just Work". Like this:

I think this is a first in the world of static site generators :-) And the result is what you are seeing now.

How is it implemented? Nikola will encrypt the content using RC4, then wrap it in a <div>, and tack a form at the end that triggers Javascript code to decrypt it, and show it.

Is it secure? Well, I am not a cryptographer, so assume no. Specifically, while RC4 is considered secure, I am not discarding the beginning of they keystream, and the implementations I am using are not audited.

So, don't use this for anything that could get you in trouble. Have fun!

UPDATE Remember when I asked "Is it secure?" well, really, no it's not. It's not stupid in the sense that decoding what's written in the post will require at least a modicum of effort by whoever is so interested in reading what you are posting in your site, but people with crypto chops will crack it like a WEP-secured AP, mmmmkay? It's also stupidly easy to bruteforce this, so be smart about passwords.

OTOH, it's more secure than HTTP simple auth, since you can't sniff it (not that simple auth is secure) and it can hide a piece of the page, which using server-based auth can't.

I may do a more secure version eventually, but this is not it. Therefore, use for fun stuff, not to hide important/illegal stuff.


Comments powered by Disqus

Contents © 2000-2019 Roberto Alsina