Menu
Meteor uses the Secure Remote Password Protocol (SRP) to authenticate users. The Meteor documentation does not make any further claims regarding level of security provided but I was wondering if SRP can provide security without the need for SSL/ TLS? The Wikipedia page on SRP states:
... an eavesdropper or man in the middle cannot obtain enough information to be able to brute force guess a password without further interactions with the parties for each guess ...
I admit I know very little about security but I could not find any recommendations regarding its use.
Many thanks
382
SRP is only for exchanging a password. More accurately, it's purely for giving both ends of communication assurance that they both have possession of the same shared secret, without allowing an eavesdropper or man in the middle a way to guess at the shared secret. That's all it does though: two-way authentication, so if/when (for example) I log into a server, I know the server is really the one I wanted to log into, and it knows that I'm a user with a correct password.
It does not, however, (even attempt to) create an encrypted connection between the parties like SSL/TLS. Although somebody listening in can't gain enough information about the password involved to log in in my place (or imitate a server for others to log into), it does not (by itself) encrypt further communications--unless you do more than just SRP by itself, anybody else will still be able to read all the data passing over the connection.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
