Re: Back to security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Mar 12, 2007, at 3:32 PM, Richard Lynch wrote:

On Sat, March 10, 2007 12:41 pm, Alain Roger wrote:
I'm continuing to work on securing my administration part of the
website.
based on previous posts and reading materials, I was thinking to use
the
following process :

Think of HTTPS as like a bank vault in the basement of a branch bank.

Anybody can walk in the door, but very very very few people can walk
into the vault.

Better off to do all of 1, 2, and 3 inside HTTPS.

Plus, the whole point of HTTPS is to stop network sniffers from
over-hearing passwords and other sensitive data, and if you
authenticate outside HTTPS, then you are sending the authentication
credentials over the wire for anybody to hear, so what's the point?

For what it is worth, I am only aware of one drawback to https with
respect to how requests are handled that makes it difficult to use
with virtual hosting. I am a little hazy  on how it works but when
https is used only the ip address of the request is available to the
server before the rest of the request is decrypted. So, in this sense
it could be advantages to use an http login script ant start the https
server once the login was successful. I say this because I have
written a login script that uses an md5 library ported to javascript.
The login and password are hashed in the client, and just so a sniffer
cannot grab the hash and use that, I have a random hash that is hashed
against the login/password hash. The random hash, I will call a nonce, is saved on the server and the server uses it against all the known login hashes and compares it to what was sent. That way what the client sends is always
different and cannot be reused.
I cannot guarantee this but it would be straight forward to guess that even
if the hash was cracked:
the cracker would have to guess how the nonce was generated and find
a hash the would work to get the correct result.
The punch line is that he could not reuse it to test it.
Hope this is useful.
Jeff K

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux