Geek Answers Handbook

Secure credentials without SSL

I am new to SSL, regardless of what I read and know that it’s a paid digital certificate and after using SSL on the https: // website, data transfer is protected at the network level.

In my application, I have no security issues other than a login and password.

Is there a way to protect username and password without using SSL https: //

+5
source share
6 answers

There are several authentication schemes that can safely work on simple HTTP. The most common of these are Digest , which is supported by all major web browsers and virtually any web programming infrastructure.

The downside of using digest for websites is this:

  • Authentication is handled by the browser itself, rather than the website login page, which doesn’t look so good and doesn’t allow you to have all the surrounding supporting features, such as “forgot your password?” which we are currently expecting.

  • If you do not have an SSL connection, experienced users may worry that they are not securely sending their password (even if it is not), because they have been trained to find an SSL connection when entering credentials.

, OAuth, HTTP, API, -, , , , .

+3

HTTP, SSL , . , .

HTTP MITM, .

SSL .

+2

. :)

+1

StartSSL.Org , , , cacert.org, .

+1

, ( ) openssl.

RSA CSR . Linux- openssl:

openssl genrsa -des3 -out mydomain.key 1024

openssl req -new -key mydomain.key -out mydomain.csr   // fill in the details

mv mydomain.key mydomain.key.org

openssl rsa -in mydomain.key.org -out mydomain.key     // creates passphraseless key

openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
0

, , .

, , . , , .

Damn, I’ll even say that with a little preliminary keystroke (or something like gpg) it can be every bit as safe.

0
source

More articles:


All Articles