How to send password securely over HTTP?

views:

789

answers:

+3 Q:

How to send password securely over HTTP?

If on a login screen user submits a form with his username and password, the password is sent in plain text (even with POST, correct me if I am wrong).

So the question is what is the right way to protect the user and his password against the third party who might be eavesdropping on the communication data?

I am aware that HTTPS is asolution to the problem, but is there any way to ensure at least some level of security using standard HTTP protocol (POST request)? (perhaps using javascript in some way)

EDIT I may have left out some important things.

What I was about was a page - that is PHP generated login page, which is of course sent to user in HTTP GET request as a HTML file. There is no (@Jeremy Powel) connection established between server and the client so I can't create such handshaking protocol. And I want the complete process to be transparent to the user - he wants to submit a password, not deal with cryptography.

Thanks.

+7 A:

Jeremy Powell 2009-10-17 18:37:24

+1 - you'll need to compute the response on the client side with javascript (or Flash/Silverlight/etc.)

orip 2009-10-17 18:42:53

I was just going to say the same thing. Not sure of any js libraries out there to do this. It will be interesting to follow this post.

J.Hendrix 2009-10-17 18:45:09

The sending of R can be done with a hidden form field (the server needs to then validate that the R it received was fresh and not used before)

Yuliy 2009-10-17 18:47:04

Doesn't stop man in the middle or impersonation attacks. E.g. through wifi. Seems like this will just give a false sense of security, IMO.

Tom Hawtin - tackline 2009-10-17 18:55:10

Added a little freshness. :)

Jeremy Powell 2009-10-17 18:55:12

That protects against passive attacks, but a Man in the Middle can still attack.

Douglas Leeder 2009-10-17 18:56:05

man, it sure isn't my day for typos. The server also sends R in step 1.

Jeremy Powell 2009-10-17 18:56:56

Also it requires the server to know the original password.

Douglas Leeder 2009-10-17 18:57:00

@Douglas: yes. unfortunately. is there a way to do this by saving the hash of the password to the server?

Jeremy Powell 2009-10-17 18:58:11

+10 A:

Using HTTP with SSL will make your life much easier and you can rest at ease very smart people (smarter than me at least!) have scrutinized this method of confidential communication for years.

Jeremy Powell 2009-10-17 19:13:09

...and *"But I have to pay for an SSL certificate!!"* is not a valid complaint, since you can get them for $30 these days. Is your data really not worth 30 bucks to protect?

caf 2009-10-18 02:08:25

HTTPS is so powerful because it uses asymmetric cryptography. This type of cryptography not only allows you to create an encrypted tunnel but you can verify that you are talking to the right person, and not a hacker.

Here is Java source code which uses the asymmetric cipher RSA (used by PGP) to communicate: http://www.hushmail.com/services/downloads/

Rook 2009-10-20 06:03:52

ansaurus

tags:

views:

answers:

How to send password securely over HTTP?

related questions