What is the best way to send web form authentication data over HTTP?

Question

A company I know is in discussions to firm up its password security policy across all its web application products.

Right now they are sending username / password authentication in POST forms over HTTP, and thus, they are being sent plaintext.

The simplest solution to the problem is simply to require HTTPS for logon across all our applications, right?

Well, there's some internal discussion about instead doing some kind of roll-our-own client-side encryption of passwords (password + salt, etc.).

Is there an accepted HTTP-only solution?

Opinions are like... well, everyone has an opinion, so I'm looking for credible security literature that can support your recommendation. Don't just google and send me to a blog post... I've already done that and further.

I have found OWASP's recommendations: http://www.owasp.org/index.php/Top_10_2007-A7#Protection

As well as Microsoft's: http://msdn.microsoft.com/en-us/library/aa302420.aspx

EDIT: Giving your recommendation for using SSL isn't enough. I need some kind of supporting documentation. I KNOW that rolling our own client side encryption is bad. I need to be able to credibly sell that to co-workers and management.

Also, HTTP Digest has been mentioned. Seems nice, but Digest is ONLY for HTTP authentication, and not for data sent over POST.

Answer 1

I highly recommend against going with your own solution (in security sensitive environments). Go with SSL. It's a proven technology and it's easy to implement.

Rolling your own security solutions can be really dangerous and even if it's implemented properly (0.000001% chance), it will be expensive.