Rene Veerman <> writes:

>Recently, on both the jQuery(.com) and PHP mailinglists, a question has
>arisen on how to properly secure a login form for a non-ssl web-application.
>But the replies have been "get ssl".. :(
>I disagree, and think that with a proper layout of authentication
>architecture, one can really secure a login system without having the
>administrative overhead of installing SSL everywhere, and the monetary cost
>for a SSL certificate for each domain.
>I'm halfway (or more?) there, i think. For my own CMS, i have taken the
>following approach, which i'd like to hear your improvements on:

Go out and get a copy of "Network Security" by Kaufman, Perlman and Speciner,
this has an entire chapter that discusses this issue, including the pros and
cons of different approaches and all the ways you can get it wrong (oh, and
it's written for a non-security-geek audience).   I think any discussion here
will end up being mostly a rehash of bits of the chapter, their version goes
into much more detail and has diagrams to boot.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to