Menu
I'm starting to write a small web application and have started thinking about securing login (only used for administration).
If I could, I'd install a CACert or self-signed SSL certificate, since for now I'll be the only one logging in, but my host isn't too accommodating.
Are there any reasonable options for securing the site without SSL? I've been thinking about options for authentication:
Implement a salted hash in JavaScript. When the login page is loaded, generate a salt server-side. Send it to the client in the clear and store it in a session variable.
Digest authentication. I just found this idea browsing SO, and it's probably a lot more reasonable than rolling my own auth.
OpenID. It's an open standard, no passwords are required (and I can "hijack" my OpenID provider's SSL to add security to the login process), but I have no idea how OpenID works or how secure it is. (Needs research. For example, can an OpenID authentication be replayed?)
The problem with all of these is that:
The only option I can think of for securing the app after login is some disgusting JavaScript and PHP sending encrypted blobs of ASCII back and forth. I don't want to do this.
Is there any encryption (for pageloads and POSTs) that can be implemented in my server-side scripting language of choice without the blessing or involvement of my host, but that would be supported by the browser? Can sessions be secured from hijacking (practically) without SSL?
What would you do in a situation like this?
992
Yes, if you have configured SAML based SSO then we would have to have a SSL certificate for your vanity URL.
SSL-enabled client software always requires server authentication, or cryptographic validation by a client of the server's identity. The server sends the client a certificate to authenticate itself.
Without an SSL certificate, a website's traffic can't be encrypted with TLS. Technically, any website owner can create their own SSL certificate, and such certificates are called self-signed certificates.
SSL/TLS enables you to deliver your site using HTTPS, which ensures a secure, private connection between your site and your users. If a site's URL uses http://, it is not secured with SSL/TLS. However, if it uses https:// it is secure — and you need an SSL/TLS certificate to make that happen.
You can securely authenticate without needing to implement protection against eavesdropping. For example, you can prevent others from sending requests, even though they can read the contents of your requests. If you need to protect against eavesdropping, I'd recommend just going somewhere where you can use SSL.
If you just need simple authentication without real security, your provider will probably support HTTP Basic. This (along with a good design which limits capabilities, and backups ;) is a reasonable interim solution while you worry about other problems.
For authenticating your identity, OpenID can't be replayed. Each authentication sequence is signed. However, OpenID by itself only lets you establish your identity with the server. It won't let you sign or otherwise authenticate a request. OAuth would, but it requires transport encryption for part of the protocol.
You could sign each request with a shared secret. This would prevent an attacker from submitting or replaying a request, but the requests themselves can still be read by an eavesdropper. See the documentation for Amazon AWS authentication (which includes client libraries) or flickr's authentication. The basic protocol is:
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
