Validity of SHA1 summing passwords with Javascript in forms - acli/ATutor GitHub Wiki

Although the official documentation claims that ATutor will “function effectively in older, or text only browsers”, this is in fact untrue. The current version of ATutor does not function at all in text-only browsers.

The cause of this breakage is in its dependence on sha-1factory.js in its login screens in an attempt to add a level of security to unencrypted logins. Due to the way the Javascript is written, text browsers such as Akinori Ito’s excellent browser w3m cannot access the encrypted password fields in the HTML form. The result is that text-browser users are shut off from ATutor even though there is no technical reason why they should be. (Real attackers, of course, use scripts and therefore have access to the encrypted fields, which means this so-called security measure is only inconveniencing legitimate users but not really capable of preventing attacks.)

In addition to this, step 3 in the installation process also uses this Javascript hackery, which is of course entirely unjustified, as the mysql password in step 2 is arguably even more sensitive and no Javascript hackery was used. At the installation stage the system is also assumed to be physically secure, and there is absolutely no reason to depend on Javascript for the installation process.

The underlying assumption that Javascript was used is that HTTP is insecure, and this is ignoring the existence of encrypted ssh logins, encrypted VPN networks, and the use of unencrypted HTTP through the local loopback interface. The result is a design that does not prevent real attacks but prevents the user (very likely a knowledgeable system administrator) from using ATutor in a way that suits their requirements. To put it bluntly, this “feature” is not inclusively designed.