tags:

views:

304

answers:

2
+3  Q: 

Secure Login credential without using SSL

Hi, I am new in SSL, whatever i read and know that its paid digital certificate and after using SSL in website https:// the data transfer is secure at network layer.

In my application i don't have much security concern except loginname and password.

Is there any way to protect Loginname and password without using SSL https://

+1  A: 

The certificate may be a self signed one. Not necessarily to be a paid one :)

Chathuranga Chandrasekara  2009-07-23 10:50:06
Sir,can you give me more details so i can use free digital ceritificate in my website. Also how can i configure it for website
Hemant Kothiyal  2009-07-23 12:07:34
There is also cacert.org they issue free certificates. They are not trusted by the browsers by default but it is better than self signing.
stribika  2009-07-23 14:38:47
+2  A: 

There are a number of authentication schemes which can work securely over plain HTTP. The most common of these is Digest, which is supported by all major web browsers and virtually every web programming framework.

The down-side of using Digest for web sites is that:

  • The authentication is handled by the browser itself rather than a login page on the web site, which doesn't look nearly as nice, and doesn't allow you to have all the surrounding helper functions like "forgot your password?" that we've come to expect nowadays.

  • If you have no SSL connection, savvy users may feel worried that they are sending their password insecurely (even though they aren't) because they've been trained to look for an SSL connection when entering credentials.

There are other schemes such as OAuth which also are safe over plain HTTP, but that is really more for APIs than web sites, so probably isn't what you want.

Greg Beech  2009-07-23 10:57:18
Digest isn't exactly secure. Someone who can see the traffic going between the computers could still intercept the digested password, and mock/modify an HTTP request using the digested password and still gain access to th website.
tschaible  2009-07-23 11:04:35
Similar issues arise with most other authentication schemes. Token-based authentication such as issuing authentication cookies can also be intercepted and spoofed; the way both are mitigated is to have an expiring token (Digest does this with the nonce). Nothing's truly secure unless all connections are made over SSL (and even then, it isn't truly secure!).
Greg Beech  2009-07-23 11:09:59
Ohh i got answer, seems good .We can generate hash value of password(encrypted) at client by using MD5 algorith. and for that server has to pass random value key to client when there is request for login page using that key at client side we can encrypt password and send it to server .As server know the key and therefore can decrypt it.I think this solution is good. What is your's opinion?
Hemant Kothiyal  2009-07-23 12:04:27
@Hermant - You can't decrypt MD5 as it is a one-way hash function (though not a very secure one). Unless you have a very good understanding of web authentication mechanisms and cryptography, I would very strongly suggest that you do not try to create your own authentication scheme as it's very, very hard to do correctly.
Greg Beech  2009-07-23 13:07:09
ok @Greg, so we should always rely over https:// nothing else. So if someone have website having less secured pages (2-3) but more pages which don't required security, than also should purchase SSL certificates.Doesn't it looks adtional cost?
Hemant Kothiyal  2009-07-23 13:14:22
@Hermant - Buying an SSL certificate is what most people end up doing. They're not that expensive really (say US$250/year) which is likely less cash than it would cost in developer time to work out and implement your own mechanism, and probably much less cash than having your users' details exposed when it is cracked. So yeah, I'd probably just send the details in plain-text over SSL.
Greg Beech  2009-07-23 13:47:26
@Greg, Can you help me find out free digital certificate (ssl) for website https:// so that i will experiment it. Also i am interested if you can guide me to find out paid one.
Hemant Kothiyal  2009-07-24 08:42:13

related questions

Returning data from ASP.net to an ExtJS Grid
RequiredFieldValidator - how to get rid of the default red font color
How to generate an 401 error programatically in an ASP.NET page
How to delete a row from a GridView using non-visible data?
Target IIS Worker Processes on Request
Unsecure posting back from an asp.net control on a secure page while avoiding authentication
What is the most efficient way to handle en expired session with ASP.NET 2.0
Passing a outside variable into a <asp:sqldatasource> tag. ASP.NET 2.0
How do you cast from Page.Master to a specific master page in ASP.NET
What is the simplest way to charge money over the Internet?
Call Javascript function and return value from ASP .NET
Repeated cookie query or Storing in viewstate? Which is the better practice?
Changing the application pool through a Web Deployment Project
Installing .NET 3.5 on a server with .NET 2.0 applications
Dropdown controls in ASP.NET 2.0
I want to prevent ASP.NET GridView from reacting to the enter button
Integrating jQuery into an existing ASP.NET Web Application?
Where do you store your misc project settings?
What is the best tool to inspect the state and size of a user's session state in a ASP.Net 2.0 application.
What assemblies are loaded by default when you create a new ASP.NET 2.0 Web Application Project ?
Creating a multi-dimensional hashtable with generics in VB ASP.NET?
ReSharper giving C# 3.0 Code Inspection Warnings to .NET 2.0 Projects
Finding First Row in a RDLC Table
What is the best way to print screens from an ASP.NET page .NET1.1/.NET2.0
SmtpClient.SendAsync bug in ASP.NET 2.0