WebApp Sec mailing list archives
RE: Must we authenticate login forms (using SSL?)?
From: "Nathaniel S. H. Brown" <nshb () inimit com>
Date: Thu, 29 Sep 2005 22:02:00 -0700
I have created a very unique, yet simple method of a form encryption that provides the same mechanism that the public/private key entails. Check out my just published release at http://www.nshb.net/secure-form-post-with-javascript-without-ssl Look forward to hearing any feedback you guys have :) Warmest regards, Nathan. -------------------------------------------------------------- Nathaniel S. H. Brown Toll Free 1.877.4.INIMIT Inimit Innovations Phone 604.724.6624 www.inimit.com Fax 604.444.9942
-----Original Message----- From: Antoine Martin [mailto:antoine () nagafix co uk] Sent: September 29, 2005 1:17 PM To: info () biledge com Cc: webappsec () securityfocus com Subject: Re: Must we authenticate login forms (using SSL?)? On Thu, 2005-09-29 at 11:03 +0300, info () biledge com wrote:hi, we do authenticate login forms with SSL or not, UAE (users are everywhere) is the valid one, the attack is unavoidable.kind of hit-and-hide game. then MITM is also = UITM. I am surprised no-one has mentioned the use of client-side encryption (ie: checksum the password with a random session seed - which can be done in Javascript for example) as a way of reducing the risks of MITM. The session can still be hijacked but at least the original password is safer (as stealing it requires more work than just listening in). Obviously, this relies on more than just plain html and needs other safeguards to ensure the MITM can't make the client default to the non-javascript version (if there is one), etc. just my 2p Antoineif we can create a 'secure system' among all servers in the world, then we may provide security. but if clauses are jokerssometimes, ithink it is better to prefer the identity based securitysystems. youcan have SSL but user may not use https. if servers cancontrol the use of https, then i think things would be different in terms of security (now i feel very insecure !)..i am just thinking though.. regards, billur c.
Current thread:
- Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)