Baruch Even <[EMAIL PROTECTED]> wrote: > >* Ian Bicking <[EMAIL PROTECTED]> [011012 00:06]: >> After reading your article, a non-SSL solution occurred to me. You >> can implement MD5 on the client through Javascript (see >> http://pajhome.org.uk/crypt/md5/md5src.html), and it's not even a very >> long bit of code. It should be easy to send the salt as a hidden >> field in the form, then onSubmit do a bit of code to hash the password >> with the salt and delete the plaintext password. > >It is a possibility, and I've used it on a site I built, but it depends >on Javascript, which might not be enabled by default (I disable it on >when I browse, unless I have to). And MD5 in Javascript can be slow, >at least it was slow on the computers I needed it to run.
I once worked on an application where a secure login solution without SSL was required. It was decided that a Java applet should be employed to do the appropriate password encryption/hashing (I can't remember the details now), although this obviously meant that users needed to have Java enabled; this was something that we could do, however, since the user community was a captive audience. The whole non-SSL requirement originated from French government restrictions on encryption which were subsequently removed, although given the cross-border nature of the organisation in question and the need for encryption principally existing only amongst Internet-based users (as opposed to intranet-based users), I'm sure some more inventive methods could have been used to employ any encryption services in Switzerland... Paul -- Get your firstname@lastname email for FREE at http://Nameplanet.com/?su _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
