how to properly secure non-ssl logins (php + ajax)
Alexander Klimov
alserkli at inbox.ru
Tue Feb 17 05:06:49 EST 2009
On Sun, 15 Feb 2009, Rene Veerman wrote:
> Recently, on both the jQuery(.com) and PHP mailinglists, a question has
> arisen on how to properly secure a login form for a non-ssl web-application.
> But the replies have been "get ssl".. :(
Unfortunately, they are right: get SSL.
> If you have a completely alternative way of securing a non-ssl login
> form, i'd like to hear about it too.
I suspect what you have coded is a reinvention of RFC 2617
(implemented, e.g., by mod_auth_digest in Apache).
Depending on your threat model, this can be all you need
(plaintext password is not transmitted, but this does not prevent
local dictionary attacks), but any such scheme fails miserable
against active attacks.
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list