Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

sharing secret without ssl

by Sixtease (Friar)
on Feb 11, 2011 at 12:54 UTC ( #887611=perlquestion: print w/ replies, xml ) Need Help??
Sixtease has asked for the wisdom of the Perl Monks concerning the following question:

this is a general web-programming question

Dear monks,

Assume web application has no ssl certificate and doesn't want one. But would still like to share a secret with the visitor
(like for generating nonces, so that sniffing session cookie doesn't give an attacker the visitor's rights).

Q1: Do you see a way to exchange such a secret during OpenID login?
Assuming the OpenID provider uses ssl.

Q2: If it is not possible (like I think), what other ways do you see?
My idea is to start a dedicated, open web service, that will have an SSL certificate, and will let the client share a secret with specified service. A Catalyst controller could look like this:

sub index :Private { my ($self, $c) = @_; my $secret = random_string(); my $other_side = $c->req->params->{other_side}; my $res = $lwp_ua->get("$other_side?secret=$secret"); if ($res->is_success) { $c->response->body($secret); } }

Ideas? Does this already exist? Sorry for posting such a non-Perl-specific question / rambling.

use strict; use warnings; print "Just Another Perl Hacker\n";

Comment on sharing secret without ssl
Download Code
Replies are listed 'Best First'.
Re: sharing secret without ssl
by moritz (Cardinal) on Feb 11, 2011 at 13:21 UTC

      True, I just realized I can simply use Diffie-Hellman or the like.

      I consider this question solved.

      use strict; use warnings; print "Just Another Perl Hacker\n";

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://887611]
Approved by moritz
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (11)
As of 2016-05-25 15:09 GMT
Find Nodes?
    Voting Booth?