[nycphp-talk] security, sessions, and encryption
David Sklar
sklar at sklar.com
Tue Mar 16 10:28:23 EST 2004
> 1. SSL protects the data from being sniffed out as it goes from the
> form on the client machine to the server. This seems to be the only
> way, or at least the best way to prevent the data from being transmitted
> in the clear?
You're correct about what SSL does. However, another way to prevent the
data from being transmitted in the clear is to encrypt it (with
Javascript) before it is sent to the server.
http://pajhome.org.uk/crypt/md5/ has some links and demos of encryption
with Javascript.
With this method, the data passes in the clear to the server, but a
sniffer sees the encrypted version of the password instead of the real
password.
The downsides of this method:
- the user must have Javascript turned on
- a sniffer could capture the entire session and replay it
to pretend to be a valid user
To prevent the capture and replay, you'd need to put something *else* in
the form that is unique each time you present the log in form. That way,
if you see a duplicate on the server, you know that it's an invalid form
submission.
If you (or your ISP) can flip a switch and enable SSL on your server,
it's simpler (no changes required in your pages) and more standard. If
for some reason you can't use SSL, all this Javascript whatnot can be
helpful.
> 2. When you crypt their password to compare it to the one stored in the
> database, and it's a one way encryption, that means that the password
> stored in your database has been put in via crypt as well at some point,
> correct?
Yes. The logic in your account signup page might look something like
if (form_is_submitted() && form_data_is_valid()) {
$encrypted_password = crypt($_POST['password']);
db_query("INSERT INTO users (username,password) VALUES
('$_POST[username]','$encrypted_password');
print "You're all signed up now.";
}
David
More information about the talk
mailing list