Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

sharing secret without ssl

by Sixtease (Friar)
on Feb 11, 2011 at 12:54 UTC ( #887611=perlquestion: print w/replies, xml ) Need Help??
Sixtease has asked for the wisdom of the Perl Monks concerning the following question:

this is a general web-programming question

Dear monks,

Assume web application has no ssl certificate and doesn't want one. But would still like to share a secret with the visitor
(like for generating nonces, so that sniffing session cookie doesn't give an attacker the visitor's rights).

Q1: Do you see a way to exchange such a secret during OpenID login?
Assuming the OpenID provider uses ssl.

Q2: If it is not possible (like I think), what other ways do you see?
My idea is to start a dedicated, open web service, that will have an SSL certificate, and will let the client share a secret with specified service. A Catalyst controller could look like this:

sub index :Private { my ($self, $c) = @_; my $secret = random_string(); my $other_side = $c->req->params->{other_side}; my $res = $lwp_ua->get("$other_side?secret=$secret"); if ($res->is_success) { $c->response->body($secret); } }

Ideas? Does this already exist? Sorry for posting such a non-Perl-specific question / rambling.

use strict; use warnings; print "Just Another Perl Hacker\n";

Replies are listed 'Best First'.
Re: sharing secret without ssl
by moritz (Cardinal) on Feb 11, 2011 at 13:21 UTC

      True, I just realized I can simply use Diffie-Hellman or the like.

      I consider this question solved.

      use strict; use warnings; print "Just Another Perl Hacker\n";

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://887611]
Approved by moritz
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2018-06-24 08:42 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (126 votes). Check out past polls.