You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although the random number generation and word selection is happening only on the client side you should still be serving all of your content over HTTPS for a security tool like this. This would help ensure that your content is safe from MITM and other attacks. You should re-direct all HTTP users to the HTTPS version.
e.g. what if Eve, an attacker, decided to inject different word list contents to certain users by a simple manipulation of the word list JS files. This would allow her to bias, or even choose, which possible passphrases you could generate.
Although the random number generation and word selection is happening only on the client side you should still be serving all of your content over HTTPS for a security tool like this. This would help ensure that your content is safe from MITM and other attacks. You should re-direct all HTTP users to the HTTPS version.
e.g. what if Eve, an attacker, decided to inject different word list contents to certain users by a simple manipulation of the word list JS files. This would allow her to bias, or even choose, which possible passphrases you could generate.
You should look at using:
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://en.wikipedia.org/wiki/Content_Security_Policy
The text was updated successfully, but these errors were encountered: