Rene Veerman <rene7...@gmail.com> writes: >Recently, on both the jQuery(.com) and PHP mailinglists, a question has >arisen on how to properly secure a login form for a non-ssl web-application. >But the replies have been "get ssl".. :( > >I disagree, and think that with a proper layout of authentication >architecture, one can really secure a login system without having the >administrative overhead of installing SSL everywhere, and the monetary cost >for a SSL certificate for each domain. > >[...] > >I'm halfway (or more?) there, i think. For my own CMS, i have taken the >following approach, which i'd like to hear your improvements on:
Go out and get a copy of "Network Security" by Kaufman, Perlman and Speciner, this has an entire chapter that discusses this issue, including the pros and cons of different approaches and all the ways you can get it wrong (oh, and it's written for a non-security-geek audience). I think any discussion here will end up being mostly a rehash of bits of the chapter, their version goes into much more detail and has diagrams to boot. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
