How to encrypt password forms in my web app? (Can't SSL)

From: Peter Mørch (pvm@capmon.dk)
Date: 11/28/02

Next message: who me?: "Re: canaries in live code"
Previous message: Tracker: "Re: A Royal Name"
Next in thread: James Preston: "Re: How to encrypt password forms in my web app? (Can't SSL)"
Reply: James Preston: "Re: How to encrypt password forms in my web app? (Can't SSL)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: pvm@capmon.dk (Peter Mørch)
Date: 28 Nov 2002 00:40:02 -0800

Hi there,

We're creating an application where Apache is used for the user
interface. In the beginning of a session, the users log in, giving
their user name and password. I'd like to avoid sending the users'
passwords over the wire in easily-sniffable text. Is this even
possible? How would I go about that?

The thing is, that this is not a single server with a well-defined
URL. There are many instances of this application, and the server
name, URL and IP address are different for each. To have a SSL
certificate created for each is unpractical, and to have users
disregard the browser's certificate warning at the beginning of every
session is not considered acceptable.

All I'm trying to accomplish is to avoid sending users' passwords over
the wire in clear text, under the assumption that many users might be
using the same username/password for our application as for more
sensitive contexts. It is not important for us that this is HTTPS or
SSL or that there is a "secure icon" in the bottom of the browser.

Is there a theoretical solution to this? A practical one?
Is there something central I've misunderstood?

I'm just using HTML with a little javascript on the client side for
now.

Thanks,

Peter

Next message: who me?: "Re: canaries in live code"
Previous message: Tracker: "Re: A Royal Name"
Next in thread: James Preston: "Re: How to encrypt password forms in my web app? (Can't SSL)"
Reply: James Preston: "Re: How to encrypt password forms in my web app? (Can't SSL)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

SSL and IPS (was RE: ssh and ids)
... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
(Focus-IDS)
Re: Reality Check: Session Hijacking
... choice to force the visitor to accept session cookies to keep the session ... cookie is simply a cookie that dies when the browser is closed, ... Note that the visitor will not see the new URL in the browser (it still says ... implementing "if not SSL then unset isAuthenticated". ...
(comp.lang.php)
RE: Load balancing with NTLM or Basic authentication.
... The load balancer weâ€™re going to use has the capability to be issue an SSL ... So it is able to maintain the SSL session with the client. ... application server. ... So our last piece of the puzzle was the issue of authentication. ...
(microsoft.public.inetserver.iis.security)
Researcher demonstrates SSL attack
... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
(alt.privacy)
Hacking demo - most spectacular techniques
... I think one of the more fun & spectacular techniques ... is to show them session hijacking of a telnet session ... passwords in a couple days, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)