Re: for the security minded web developer - secure way to login?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi gang,

Was just thinking of a cheap solution for sites that don't require absolute
security. A SSL cert cost about $150 a year. Sites like facebook could use
this... Of course it's not for banks etc.

You could degrade gracefully when javascript is turned off to just sending
the form and checking the password normally if the first test fails which
would happen anyway wouldnt it? ...

Mainly this was just ment to be a proof of concept. An alternative to SSL
for those who have more time than $$ and not quite so high a security
requirement.

Of course SSL is better! Duh! Just wanted to give you guys something to
think about. The password would not be given away like this would it? It
just makes it a little more difficult for script kiddies. They would have to
have a keylogger running or steal the session. :P

Regards,
Tim

Tim-Hinnerk Heuer

http://www.ihostnz.com
Mike Ditka  - "If God had wanted man to play soccer, he wouldn't have given
us arms."

2009/2/15 Michael A. Peters <mpeters@xxxxxxx>

> Dotan Cohen wrote:
>
>
>> Have you seen the fit Firefox 3 makes for self-signed certs? So far as
>> the end user is concerned, the site is inaccesible.
>>
>>
> Yes I have.
> That's why on my site I have an instruction page - and a demonstration of
> how Opera does it, which is just as secure and less of a PITA, and a
> suggestion that users go ahead and try Opera - something I never did before
> FF messed up the self signed SSL process.
>
> The FF3 really bugged me -
>
> 1) The purpose of SSL is to provide public/private key encryption.
> 2) The purpose of signing is so that they know you are really you on future
> visits.
> 3) The purpose of certificate authorities is so that they know you are you
> on the first visit.
>
> Many web sites benefit from the first two without needing the complexity of
> the third, a concept FireFox seems to have lost.
>
> I don't need the paperwork hassle etc. for the few sites I run - I just
> need a way for a user to authenticate so I can give 'em a session cookie, no
> sensitive data is ever collected. Ah well.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux