sharing secret without ssl

Sixtease has asked for the wisdom of the Perl Monks concerning the following question:

this is a general web-programming question

Dear monks,

Assume web application Example.com has no ssl certificate and doesn't want one. But would still like to share a secret with the visitor
(like for generating nonces, so that sniffing session cookie doesn't give an attacker the visitor's rights).

Q1: Do you see a way to exchange such a secret during OpenID login?
Assuming the OpenID provider uses ssl.

Q2: If it is not possible (like I think), what other ways do you see?
My idea is to start a dedicated, open web service, that will have an SSL certificate, and will let the client share a secret with specified service. A Catalyst controller could look like this:

sub index :Private {
  my ($self, $c) = @_;
  my $secret = random_string();
  my $other_side = $c->req->params->{other_side};
  my $res = $lwp_ua->get("$other_side?secret=$secret");
  if ($res->is_success) {
    $c->response->body($secret);
  }
}
[download]

Ideas? Does this already exist? Sorry for posting such a non-Perl-specific question / rambling.

use strict; use warnings; print "Just Another Perl Hacker\n";

Comment on sharing secret without ssl Download Code

Replies are listed 'Best First'.
Re: sharing secret without ssl by moritz (Cardinal) on Feb 11, 2011 at 13:21 UTC
Something like Secret-Key Agreement over Unauthenticated Public Channels is known in the realm of asymmetric cryptography. With a bit of luck, you can even find public implementations of such protocols. Perl 6 - second systems done right	[reply]
Re^2: sharing secret without ssl by Sixtease (Friar) on Feb 11, 2011 at 13:22 UTC
True, I just realized I can simply use Diffie-Hellman or the like. I consider this question solved. use strict; use warnings; print "Just Another Perl Hacker\n";	[reply]