Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: cgi and https (mildly off topic)

by IlyaM (Parson)
on Nov 27, 2001 at 08:51 UTC ( #127723=note: print w/replies, xml ) Need Help??

in reply to cgi and https (mildly off topic)

HTTPS and HTTP authorization with .htaccess and .htpasswd are not mutually exclusive thigs.

HTTPS provides SSL layer for data transfers between server and client. SSL itself prevents third party from sniffing this network traffic and can give client guarantee that server haven't been substituted by another by "cracker". However it doesn't provides authorization of client.

HTTP authorization with .htaccess and .htpasswd can be used for authorization of clients. It is based on protocol which passes password and username as clear text (well, not clear text but something which can be easily decoded). So without additional layer of enryption (like SSL) it is easy target for sniffer attacks.

Please note that HTTP authorization is not the only way to do client authorization (but propably simpliest to setup since it doesn't require any coding). It is common to use cookies for this task for example (like Perlmonks website does).

What you need is probably both SSL and some method of client authorization (for example - HTTP authorization).

As for using javascript in the webpages to encrypt the password. Well, since you have not gave any details about it I can't say that it is insecure. But unless you use some kind of asymmetric cryptography it will be always subject of sniffer attacks. Do you?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127723]
and the fire pops...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2018-02-20 20:34 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (274 votes). Check out past polls.