http://www.perlmonks.org?node_id=1213490


in reply to Re: Monastery login over http
in thread Monastery login over http

Noted. But I did not encounter the problem in there. Perlmonks https works fine for me just now.

Maybe have the login form sent to client with added hidden field:

perlmonks_public_key.

Login form encrypts password on client-side using said key and all perlmonks' server has to do (wrt computational burden) is decrypt it. I think user passing his encrypted pass (by private key) was mentioned also here: We blame tye.

Please note, I realise that these are no real solutions (e.g. against man-in-the-middle) which cost zero and that I am very far away from being an expert in security. I am just trying to work out a way where passwords are not sent cleartext with minimal cost to perlmonks (wrt effort, cpu, money) and some real effort on the snooper's side to gain the password (which is not that important anyway).

I would hate my pub-lan-provider having a script saying

if( $bytes =~ /username=(.+?)&password=(.+?)/ ){ store_in_db_and_then_ +sell_to_usual_suspects($1,$2) && cash_out_money() && advertise_charit +y_donations() && sponsor_666_politician() && go_to_parliament_for_que +stioning() }

Replies are listed 'Best First'.
Re^3: Monastery login over http
by marto (Archbishop) on Apr 24, 2018 at 20:07 UTC

    When both webservers have the certificates then IIRC the plan is for everything to be over https.

      that's great.