Hi 
I am studying computer science, and while trying to figure out why osu kept disconnecting from bancho, I stumbled upon this.
Problem Details:
Bancho uses the unsalted md5 sum of passwords over insecure http when connecting to bancho. A middle man can get the salts of osu users and crack them to obtain passords. Unfortunately, the only worse thing possible is to send them in clear text
I think there are two things that can be done to this:
- Migrate osu to https
- Use something better, like sha512-crypt
Here is the URL that the client uses (for the curious):
http://osu.ppy.sh/web/bancho_connect.ph ... 50414.2&u=<user>&h=<md5 of password>&fx=&mx=cbodio
osu! version: 20150414.2 (latest)
(Yay, it's my first post!)
I am studying computer science, and while trying to figure out why osu kept disconnecting from bancho, I stumbled upon this.Problem Details:
Bancho uses the unsalted md5 sum of passwords over insecure http when connecting to bancho. A middle man can get the salts of osu users and crack them to obtain passords. Unfortunately, the only worse thing possible is to send them in clear text
I think there are two things that can be done to this:
- Migrate osu to https
- Use something better, like sha512-crypt
Here is the URL that the client uses (for the curious):
http://osu.ppy.sh/web/bancho_connect.ph ... 50414.2&u=<user>&h=<md5 of password>&fx=&mx=cbodio
osu! version: 20150414.2 (latest)
(Yay, it's my first post!)
