Menu
I am new in SSL, whatever i read and know that its paid digital certificate and after using SSL in website https:// the data transfer is secure at network layer.
In my application i don't have much security concern except loginname and password.
Is there any way to protect Loginname and password without using SSL https://
496
Bottom line is: You need a server certificate for HTTPS. The moment you start the TLS exchange you need to provide your own public key. Besides, this would never work. There pretty much aren't any MITM attacks that are only "passive", an attacker can modify the data as long as s/he is able to sniff it.
Nope. What you're doing when using HTTPS is telling the browser to connect via a different port (443) whereas normally you connect via (80). Without a certificate, the server would refuse the connection. HTTPS is simply not possible without a certificate.
Without an SSL certificate, a website's traffic can't be encrypted with TLS. Technically, any website owner can create their own SSL certificate, and such certificates are called self-signed certificates.
There are a number of authentication schemes which can work securely over plain HTTP. The most common of these is Digest, which is supported by all major web browsers and virtually every web programming framework.
The down-side of using Digest for web sites is that:
The authentication is handled by the browser itself rather than a login page on the web site, which doesn't look nearly as nice, and doesn't allow you to have all the surrounding helper functions like "forgot your password?" that we've come to expect nowadays.
If you have no SSL connection, savvy users may feel worried that they are sending their password insecurely (even though they aren't) because they've been trained to look for an SSL connection when entering credentials.
There are other schemes such as OAuth which also are safe over plain HTTP, but that is really more for APIs than web sites, so probably isn't what you want.
193
There is NO alternative to HTTP security in a browser other than using SSL for every page where the user is logged in. Any other techniques are completely insecure and are nothing but layers of obscurity.
Any homebrew solution over HTTP is always vulnerable to MITM attacks, among other vulnerabilities.
Even with SSL, the login & session mechanism must be secure or it can be cracked using other exploits.
34
The certificate may be a self signed one. Not necessarily to be a paid one :)
26
You can also try StartSSL.Org I am using that currently and it works great even but it somehow the same as cacert.org, they are not trusted by the browsers by default
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
