Web Security Thread

ITT we discuss web security.

>>59

but that has some usability-related caveats too.

The only caveat is that some sites do not let the firefox password manager work correctly because they think that they are smart or some shit.

most places on the internet and even on the corporate intranets don't use pubkey though

They should then. We should make password authentication as insecure and painful as possible so they end up forced to use pk authentication.

how many things accessible through a browser have that option?

Until very recently client-side certificates in TLS leaked shit like username and other stuff. I suggest we purge TLS once we make the move to client side public keys.

scrypt, bcrypt, argon2

All except script and pbkdf2 are cancerous shitware, the mainstream argon2 implementation does not even follow their own standard and ends up with a different result. Not to mention that there are outstanding security issues with it for years that were ignored by its creators. Not to also mention that it uses BLAKE2 which is yet another Zooko scamware and downgrade from BLAKE or SHA-3 and other Keccak/sponge based constructions.

bcrypt.. do people still use that in this day and age?

As for script and pbkdf2, you can use MD5 with them.

MD6 would have been good because merkle trees are good, I love trees, I breed with trees. Non-parallel constructions like MD are shite and spread AIDS. They are the reason why we have length extension attacks. Yet we are stuck with these.