stackoom
  简体   繁体   中英

HTML protect password fields

 原文  2013-12-04 07:59:13       javascript/ html/ ajax/ security/ passwords

Question

I am working on a website and I am wanting to provide the most secure communication, but I cannot afford to spend much on it.

It is about the following: <input type='password' name='password'>

They will normally be sent as plain text over the transport protocol.
I'm just having some cheap hosting for €1 per month and I cannot really 'afford' (with respect to the websites donations and importance of security) an SSL certificate for all subdomains for 8,50€ per month.

So I am wondering now, what are my options to prevent the password being sent as plain text ? Actually it doesn't matter that it is being sent as plain text, it should just not be readable by anyone else than the browser and the server, but I guess that is always possible with plain text.

I'm also doing live server side validation on input fields through AJAX, and there are checks on the password length, etc. for example. So I'd still have access to that data, if it even makes sense.

I have access to for example HTML, JavaScript/JQuery, PHP, AJAX and possibly more languages if needed.

1 answers

solution1
 1  2013-12-04 09:10:12

If all you need is encryption to hide your communication from eavesdroppers - you do not need SSL. As I see it, the main feature of SSL and certificates, is the authentication: Your clients know that they are really surfing to your site (and not to some fishing site for example). The authentication also helps against Man In The Middle (MitM) attacker.

If you want to hide the passwords from eavesdroppers, send some public key, and send the passwords encrypted with this public key. As far as you are the only one who knows the private key, and that your client really received your public key - it should be enough.

Notice that the above solution DOES NOT work against MitM: Such an attacker can just change the public key that is sent to the client to its own public key, such that the attacker can decrypt the encrypted password (as he knows the private key of the new public key). If you use SSL, than your client can verify that your public key is really yours (it is signed by the Certificate Authority).

So I recommend you to search how to implement public key operations in JS.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Password protect html page Password Protect HTML5 Offline Application Directory Is there a way to password protect HTML pages without using a server side language? How can I password protect a basic HTML page? Pop up password protect Password protect website Website access protect by password Password protect a page with Firebase Password Protect Page How do I password protect a file (html) in a server-less environment?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM