Jay Blanchard wrote:
[snip]
Just playing devil's advocate here...But I believe that if implemented
properly, encryption/decryption on the client could be secure, for
example a diffie-hellman key exchange with AJAX, followed by encryption.
[/snip]
Doesn't matter the key, you must use SSL to encrypt from client to
server.
Why *must* you use SSL? Again, devil's advocate here (SSL is probably
much better) but that doesn't mean that you can't use some crazy JS and
PHP to implement some alternative encryption technique. (Say a symmetric
algorithm that isn't implemented in any standard SSL implementations, or
a proof of concept etc.)
For example:
- Client (javascript) and Server (PHP script) decide on some key via
secure key negotiation.
- One end encrypts message using key and wacky encryption algorithm,
other end decrypts it. Same thing again, client/server reversed.
SSL is obviously the recommended, trusted, proven, and accepted way of
sending secure data, but there could potentially be cases where someone
would want to try something else. It's not that it can't be done, it's
more that there's no reason to do it that way. :-)
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
