2

I am working on a website and I am wanting to provide the most secure communication, but I cannot afford to spend much on it.

It is about the following: <input type='password' name='password'>

They will normally be sent as plain text over the transport protocol.
I'm just having some cheap hosting for €1 per month and I cannot really 'afford' (with respect to the websites donations and importance of security) an SSL certificate for all subdomains for 8,50€ per month.

So I am wondering now, what are my options to prevent the password being sent as plain text? Actually it doesn't matter that it is being sent as plain text, it should just not be readable by anyone else than the browser and the server, but I guess that is always possible with plain text.

I'm also doing live server side validation on input fields through AJAX, and there are checks on the password length, etc. for example. So I'd still have access to that data, if it even makes sense.

I have access to for example HTML, JavaScript/JQuery, PHP, AJAX and possibly more languages if needed.

skiwi
  • 66,971
  • 31
  • 131
  • 216
  • 1
    have a look [here](http://stackoverflow.com/questions/4121629/password-encryption-at-client-side) – Jacob A. Dec 04 '13 at 08:05
  • 2
    http://www.jcryption.org/ – Joke_Sense10 Dec 04 '13 at 08:06
  • @Joke_Sense10 Does this only work when I have full access to the server? I see it relies on internal commands and I'm not sure if I can issue those on a basic webhost. Also, would it be advised to use JCryption with SSL together, or can that lead to some clashes? – skiwi Dec 04 '13 at 08:13
  • There are hosting companies which offer to use their own domain with SSL for free. I could for example call my site via `https://..ch` and would not have to buy a certificate then. – martinstoeckli Dec 04 '13 at 10:51
  • @martinstoeckli Unfortunately that's not possible with my host. – skiwi Dec 04 '13 at 11:04

1 Answers1

1

If all you need is encryption to hide your communication from eavesdroppers - you do not need SSL. As I see it, the main feature of SSL and certificates, is the authentication: Your clients know that they are really surfing to your site (and not to some fishing site for example). The authentication also helps against Man In The Middle (MitM) attacker.

If you want to hide the passwords from eavesdroppers, send some public key, and send the passwords encrypted with this public key. As far as you are the only one who knows the private key, and that your client really received your public key - it should be enough.

Notice that the above solution DOES NOT work against MitM: Such an attacker can just change the public key that is sent to the client to its own public key, such that the attacker can decrypt the encrypted password (as he knows the private key of the new public key). If you use SSL, than your client can verify that your public key is really yours (it is signed by the Certificate Authority).

So I recommend you to search how to implement public key operations in JS.

Gari BN
  • 1,635
  • 2
  • 17
  • 31