I have created a very unique, yet simple method of a form encryption that
provides the same mechanism that the public/private key entails.
Check out my just published release at
http://www.nshb.net/secure-form-post-with-javascript-without-ssl
Look forward to hearing any feedback you guys have :)
Warmest regards,
Nathan.
--------------------------------------------------------------
Nathaniel S. H. Brown Toll Free 1.877.4.INIMIT
Inimit Innovations Phone 604.724.6624
www.inimit.com Fax 604.444.9942
-----Original Message-----
From: Antoine Martin [mailto:antoine@nagafix.co.uk]
Sent: September 29, 2005 1:17 PM
To: info@biledge.com
Cc: webappsec@securityfocus.com
Subject: Re: Must we authenticate login forms (using SSL?)?
On Thu, 2005-09-29 at 11:03 +0300, info@biledge.com wrote:
hi,
we do authenticate login forms with SSL or not, UAE (users are
everywhere) is the valid one, the attack is unavoidable.
kind of hit-and-hide game. then MITM is also = UITM.
I am surprised no-one has mentioned the use of client-side encryption
(ie: checksum the password with a random session seed - which
can be done in Javascript for example) as a way of reducing
the risks of MITM.
The session can still be hijacked but at least the original
password is safer (as stealing it requires more work than
just listening in).
Obviously, this relies on more than just plain html and needs
other safeguards to ensure the MITM can't make the client
default to the non-javascript version (if there is one), etc.
just my 2p
Antoine
if we can create a 'secure system' among all servers in the world,
then we may provide security. but if clauses are jokers
sometimes, i
think it is better to prefer the identity based security
systems. you
can have SSL but user may not use https. if servers can
control the use of https, then i think things would be
different in terms of security (now i feel very insecure !)..
i am just thinking though..
regards,
billur c.
