German Geek wrote:

> What do you think?

I think just use a flippin' ssl server and be done with it.

When I go to a website that requires me to let them execute JavaScript I rarely go back.

You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. For anything not e-commerce, using a self signed cert seems a lot more secure to me than having the browser grab some salt off your server, use javascript to encrypt the pass, and then sending it back.

Public / Private key is the way to go, and self signed cert still gives you that, the only issue is the user get's a warning the first time they connect to the server - and have to manually accept your cert.

You may make the password a little more difficult to sniff by sending some salt to the client and using js to make a password hash, but the bottom line is a user has no reason to trust a login is secure if you don't use SSL and every reason not to trust that it is secure, so use SSL if you want to provide secure login and don't cripple your site by having the audacity to require users to allow you to execute code on their machine in order to use your website. It will drive some users away.

Not exactly what you asked, but it is my opinion.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to