Meghadri Ghosh wrote:
> SSL would probably be the most practical solution, and would be acceptable
> to the clients of the products. I have not done much work in Java or
> Javascript, but I am not sure how the arithmetic required for the encryption
> code could be managed in Javascript. (Implement it in an applet, instead?).
> I have tinkered around with n-bit arithmetic in C/C++, and felt never too
> sure whether the implementation was correct through the range of number
> covered by the bit length :)
>
> Could the Javascript be hidden, at least at a superficial level, by defining
> it in a separate file which is included via the SRC tag, or using
> document.write(...). It has been my observation that viewing the source from
> the browser, simply displays these including tags, and not the script code.
>
Let's step back for a moment, and review the goal here. The only reason to
bother encrypting the password at all is if you're concerned about someone
snooping, and then impersonating you.
Anyone who can snoop your password is also not going to have any problem
snooping the downloaded page (with it's embedded JavaScript or Java applet --
decompiling byte codes is pretty simple), as well as the encrypted byte stream
you send back to the server, and can therefore crack whatever encryption
algorithm you are using. To say nothing of the fact that just encrypting the
password leaves all of your other precious data going back and forth in
cleartext .....
If this is a serious issue for your application, use SSL. The half measures
towards encryption are not worth the effort, and are also a little dangerous
because they give you a false sense of security.
>
> - meghadri
>
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
