Re: Re: Security in CGI and User Authentication

Yep, I'm aware of the HTTP password security "problem" .. I'm running the user authentication components of the page using SSL already. Should probably have mentioned that up there somewhere :)

Having said that, though, and just out of interest, would it not be possible to write some perlscript that crypts the password client-side, before it's shipped across to the server? Purely a "on-the-fly" question .. not something I'd even thought about until just now.

-- Foxcub

Comment on Re: Re: Security in CGI and User Authentication

Replies are listed 'Best First'.
Re: Re: Re: Security in CGI and User Authentication by shotgunefx (Parson) on Dec 04, 2002 at 02:51 UTC
You may find this interesting. The site contains javascript (yes I know javascript sucks people) implementations of MD5 and other hashing functions. Yahoo uses it for non-SSL logins. -Lee "To be civilized is to deny one's nature."	[reply]
Re^3: Security in CGI and User Authentication by Aristotle (Chancellor) on Dec 04, 2002 at 09:17 UTC
It still won't work because the password hash goes over the network in clear, so all I have to do is sniff the cookie and feed it back to you. I needn't decrypt it - I already know it's a valid password hash as long as the user doesn't change his password. If you want the client to actively encrypt the data using some sort variable token not sent across the network, well, that's exactly what SSL does. (Still, it would have been nice if HTTP natively had some sort for secure authentication like APOP's challenge-response mechanism. Alas, it doesn't (and can't - it's a stateless protocol).) Makeshifts last the longest.	[reply]
Re: Re: Re: Security in CGI and User Authentication by BUU (Prior) on Dec 04, 2002 at 03:21 UTC
Perl requires a perl interpreter. Not to mention theres no easy way to hook perl into IE/MOZ/etc (to my knowledge).	[reply]