NYCPHP Meetup

NYPHP.org

[nycphp-talk] security, sessions, and encryption

Aaron Fischer agfische at email.smith.edu
Tue Mar 16 11:06:03 EST 2004


I'm hopeful that my IT dept. will be able to flip the switch on SSL, if 
they haven't already.

I've really moved away from JavaScript for the express reason of the 
unpredictability of the user having it on or off.  That's good info 
though, as a backup to the SSL option.  Thanks!

This sort of begs the question, what IS JavaScript good for, besides 
perhaps image rollovers...  =)

-Aaron

On Mar 16, 2004, at 10:28 AM, David Sklar wrote:

> You're correct about what SSL does. However, another way to prevent 
> the data from being transmitted in the clear is to encrypt it (with 
> Javascript) before it is sent to the server.
>
> http://pajhome.org.uk/crypt/md5/ has some links and demos of 
> encryption with Javascript.
>
> With this method, the data passes in the clear to the server, but a 
> sniffer sees the encrypted version of the password instead of the real 
> password.
>
> The downsides of this method:
>  - the user must have Javascript turned on
>  - a sniffer could capture the entire session and replay it
>    to pretend to be a valid user
>
> To prevent the capture and replay, you'd need to put something *else* 
> in the form that is unique each time you present the log in form. That 
> way, if you see a duplicate on the server, you know that it's an 
> invalid form submission.
>
> If you (or your ISP) can flip a switch and enable SSL on your server, 
> it's simpler (no changes required in your pages) and more standard. If 
> for some reason you can't use SSL, all this Javascript whatnot can be 
> helpful.




More information about the talk mailing list