Roland typed the following on 11:06 AM 1/3/2002 -0200 >I'm concerned about encrypting the Browser-->Container path. The problem >with my particular approach is, that I will send a Sha-1 hash from the >browser to the container. ... >The means, that the Realm will only >receive a hash of the password(and the sessionId). ... >But what if SSL is not available? My idea is to provide an >ecryption that is independent of any underlying technologie. ... >I knew that, but my point is really to encrypt the password at the browser, >so that it doesn't get sent over the internet in plain text format.
This seems pointless to me. If the server will authenticate based on receiving the hashed password+sessionId, then the black hats don't need the password, just the hash. If you're sending the hash in the clear, they can steal it and hijack the session. There's little gain over sending a plaintext password, other than limiting the window for exploitation by expiring the validity of the hash. Kief -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
