Mission has asked for the wisdom of the Perl Monks concerning the following question:
I've been reading for the past two days on CGI.pm and more specifically on encryption / security. I'm to the point that I think I've "Got It!", but I'd rather post my thoughts (*after reading a bit*) and see if others can verify what I suspect regarding login encryption.To the best of my knowldege (*and please educate me if I'm off base*) the problem with encrypting a username / password login is that the login has already been submitted over the 'net' clear text to the server before the my $query = new CGI;
if ($query->param('submit'))
{
#encryption
}
is called. Therefore ecrypting using the submit button is too late.I know that one option is to have a secure server connection (https) however that isn't an option with my current server situation at work. My end goal is just to avoid sending the login clear text.So I deduce that the only method then is to encrypt client side with JavaScript before the server gets ahold of it. Of course then the problem is that EVERYONE (and their dog) can just look at the source and figure out your encryption methods (again, not secure.)That's my understanding so far from reading all kinds of posts on security, cookies, encoding etc. With all of that said I have two questions:- Am I right in my understanding of what is happening?
- What are the options for password protection to avoid sending clear text?
BTW: If anyone wants advice on security in general, just type 'security' in the search box and read for a couple of days (that's what I did.) Thanks to all who posted in the past. You're posts saved me tons of time and I appreciate it.
- Mission
"Heck I don't know how to do it either, but do you think that's going to stop me?!!"