Re: Another form of encrytion? "Not SSL"

From: Robert Hurlbut (robert_at_nospam.securedevelop.net)
Date: 10/31/04 

Date: Sat, 30 Oct 2004 19:09:24 -0400

Leon,

If there is no SSL being done on the form, then your information is more
than likely sent clear text. Now, they could be using SSL with a form post,
which would be secure, and you can tell this through "view source" on the
page. Even with SSL, though, just because the lock is there in the corner
doesn't always mean it is valid. You still have to check it.

Also, if you are able to get your password back from any site without them
re-generating a temporary password, then that site is probably storing your
password in clear text, or at best encrypting it with some key they use to
decrypt it. Ideally, you want the site to use a salt and one-way strong hash
to store your password, which means you can't ever retrieve the same
password.

Robert Hurlbut
http://weblogs.asp.net/rhurlbut
http://www.securedevelop.net

"Leon" <vnality@msn.com> wrote in message
news:OJ$al9pvEHA.2568@TK2MSFTNGP11.phx.gbl...
> How can I encrypted data sent across my website from web forms without
> using SSL?
> Such as on Login the user enter "EmailAddress" & "Password" and Simply
> Registration Form
> in which the user creates a Password, FirstName, LastName, etc.
> I see site like Careerbuilder and Monster allow user to register, login,
> and retrieve a lost password
> without using a SSL connection "I Know anytime you deal with credit card
> info you need a SSL.
> Thanks!
>

Relevant Pages

  • Re: is HTTPS crackable
    ... possible, with projected computing power, that you can retrieve the plain ... Basically SSL is a tried and tested method of preventing Man-In-The-Middle ...
    (microsoft.public.inetserver.iis.security)
  • Re: Another form of encrytion? "Not SSL"
    ... > How can I encrypted data sent across my website from web forms without ... > using SSL? ... > Registration Form ... > and retrieve a lost password ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Parsing SSL file
    ... "CountScubula" wrote in message ... how do you retrieve a file over ssl? ... > Mike Bradley ...
    (alt.php)
  • Re: Parsing SSL file
    ... how do you retrieve a file over ssl? ... http://www.gzentools.com -- free online php tools ... "Bruno" wrote in message ...
    (alt.php)
  • Re: SSL is very slow
    ... Perhaps the client is ... attempting to contact the CA (eg to retrieve a CRL)? ... To correct the "all pages using SSL" problem you have below, ...
    (microsoft.public.inetserver.iis.security)