7

I'm developing website where user submit credentials using ajax,php and using POST method and i want to protect login credentials not in plain text but i don't want to use SSL can i secure password credentials without using SSL certificate ??

Can anyone give me working example of any method ?

Vishwanath Dalvi
  • 35,388
  • 41
  • 123
  • 155

5 Answers5

7

You cannot completely secure the credentials without some out-of-channel verification (which SSL provides); a man in the middle attack will always be possible.

Put simply, there is no way for the client to be completely sure that they are talking to the server instead of a fake server inserted somewhere in between.

cobbal
  • 69,903
  • 20
  • 143
  • 156
2

You can use a provider like OpenID who will handle the authentication for you. The provider uses SSL to verify the credentials and then you can validate it by using their API, so the user never actually sends credentials to your page.

Getting started with OpenID

Can Gencer
  • 8,822
  • 5
  • 33
  • 52
  • Unless you're using HTTPS only then you just trade password sniffing for session hijacking - you gain nothing in terms of security. – Zed Feb 23 '11 at 14:39
  • That is not completely true. Session IDs can be mapped to IP addresses which will make it a lot more difficult to hijack. It also makes the attacks non-repeatable (unless the attacker is willing to keep the session open forever). – Can Gencer Feb 23 '11 at 16:02
  • Very often the hijacker is on the same network (same school, same hotel, same cafe) because sniffing local traffic is easiest. And when you are on the same network it is also trivial to use the victim's IP. Also, when the network happens to be behind a NAT and you all share one IP (very common these days thanks to the shortage of IPv4 addresses) then you don't even have to change your IP at all. Don't assume that changing the IP address is hard because usually it isn't, especially if your desired address is in the same subnet. – Zed Feb 23 '11 at 23:40
  • yes valid points, but there's only so much you can do without a secure transport channel. I would say it's still more secure than a vanilla login/pwd as the attacker won't be able to discover the user's password and the attack will be limited to the site in question. I don't know what kind of site this one is intended to be, but a lot of mail accounts are hacked through vulnerability in other sites and users who use the same password. – Can Gencer Feb 24 '11 at 09:39
1

maybe this helps you: Two-way password encryption without ssl

Community
  • 1
  • 1
felixsigl
  • 2,900
  • 1
  • 23
  • 16
1

In short .. no.

You can try but I don't think there is a method I can imagine in javascript or any other in-browser way to secure your posted data.

The problem is in the encryption side, doing a good strong public-private crypto in javascript doesn't sound feasible to me.

I'm also kind of curious about the why part . .

. . still pondering on some possible method. . will update post if something pops up.

the JinX
  • 1,950
  • 1
  • 18
  • 23
  • 2
    Even the best possible javascript implementation is vulnerable: the script doing the encryption could be tampered with, as it is send over a non-secure line. This is the reason that the SRP-protocol for example cannot be made secure when implemented in javascript. – Jacco Feb 23 '11 at 10:10
0

Using SSL without a certificate should be possible. Makes you vulnerable to a man-in-the-middle-attack but encrypts the transferred data.

Raffael
  • 19,547
  • 15
  • 82
  • 160
  • It would drive traffic away because the browser will always showing certificate warning. And most likely will ask user to confirm that he really wants to continue to the site. – Maiku Mori Feb 23 '11 at 09:42
  • true, true ... but the question is, what's the point of a somewhat secure encryption :-/ ... how about str_rot13? – Raffael Feb 23 '11 at 09:52
  • There is 2 kinds of security: the kind that keeps your little sister from learning your secret and the one that keeps mayor governments out. In other words: either you have a strong and secure system, or an exposure waiting to happen. In other words: there is no such thing 'somewhat secure encryption'. rot13? that's not even trying to be secure, it's a handy obfuscation routine. – Jacco Feb 23 '11 at 10:46