Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Ivan Krstić
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote: Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web- application. What's the threat model? users[user_id].user_login_hash = onewayHash(user_login_name + pref

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Erwan Legrand
Hi, > Recently, on both the jQuery(.com) and PHP mailinglists, a question has > arisen on how to properly secure a login form for a non-ssl web-application. > But the replies have been "get ssl".. :( What makes you think these are ill-advised? > I disagree, and think that with a proper layout of

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Lea Kissner
[Moderator's note: top posting is not considered good form. --Perry] Hi Rene, I suspect from reading this quickly that you may not be a cryptographer. I'd highly suggest that you borrow one for a bit before you go ahead with this. I'm having a bit of trouble reading exactly what you want to do, b

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Alexander Klimov
On Sun, 15 Feb 2009, Rene Veerman wrote: > Recently, on both the jQuery(.com) and PHP mailinglists, a question has > arisen on how to properly secure a login form for a non-ssl web-application. > But the replies have been "get ssl".. :( Unfortunately, they are right: get SSL. > If you have a comp

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Joseph Ashwood
- Original Message - From: "Rene Veerman" Sent: Sunday, February 15, 2009 4:30 AM Subject: how to properly secure non-ssl logins (php + ajax) I'm going to edit this, since I assume most of the code is completely irrelevant proposal: database stores Hash(password |

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Peter Gutmann
Rene Veerman writes: >Recently, on both the jQuery(.com) and PHP mailinglists, a question has >arisen on how to properly secure a login form for a non-ssl web-application. >But the replies have been "get ssl".. :( > >I disagree, and think that with a proper layout of authentication >architecture,

Re: how to properly secure non-ssl logins (php + ajax)

2009-02-20 Thread Jeffrey I. Schiller
I think you are close, but are probably doing way too much work. First let's define a function HMAC_MD. HMAC is defined in RFC2104 and represents the current best current practice for using a hash to "sign" a data value. It takes: result = hmac_md(key, value) You can use hmac with MD5, SHA1, S

how to properly secure non-ssl logins (php + ajax)

2009-02-16 Thread Rene Veerman
Hi. Recently, on both the jQuery(.com) and PHP mailinglists, a question has arisen on how to properly secure a login form for a non-ssl web-application. But the replies have been "get ssl".. :( I disagree, and think that with a proper layout of authentication architecture, one can really secu