German Geek wrote:
> What do you think?
I think just use a flippin' ssl server and be done with it.
When I go to a website that requires me to let them execute JavaScript I
rarely go back.
You can use SSL for the login and only the login - I know that it means
either using a self signed cert or paying big bucks, for anything with
e-commerce you want to pay big bucks for a cert, there is no other
option. For anything not e-commerce, using a self signed cert seems a
lot more secure to me than having the browser grab some salt off your
server, use javascript to encrypt the pass, and then sending it back.
Public / Private key is the way to go, and self signed cert still gives
you that, the only issue is the user get's a warning the first time they
connect to the server - and have to manually accept your cert.
You may make the password a little more difficult to sniff by sending
some salt to the client and using js to make a password hash, but the
bottom line is a user has no reason to trust a login is secure if you
don't use SSL and every reason not to trust that it is secure, so use
SSL if you want to provide secure login and don't cripple your site by
having the audacity to require users to allow you to execute code on
their machine in order to use your website. It will drive some users away.
Not exactly what you asked, but it is my opinion.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
