Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'ve got a website and I would like the users to be able to login securely but

ID: 657903 • Letter: I

Question

I've got a website and I would like the users to be able to login securely but I don't want to spend any money on SSL / certificates and I would like to stay anonymous i.e. not give the certificates people my personal details.

I've been reading around on some ways to do this, the best solution i've found is using a javascript library called jCryption that encrypts between client and server, but the encryption is in the hands of the users then.

The reason why I'm doing this cheap is because a) to get proper SSL you need the certificate, a static IP and an upgraded server account ... all of which cost money and b) because not many people will be logging in and c) the data isn't really 'top secret' stuff, I just don't want password flying through the internet in plaintext.

Is it feasible to encrypt html login forms between the client and server? If I did do this would the data be reasonably safe or could any script kiddy break it?

Explanation / Answer

What you want is not possible, because there is no established trust relation between client and server and plain HTTP can not provide a secure way to establish this trust. Only HTTPS provides thus trust by checking the servers certificate against local trust anchors at the client, that is it infers the new trust from trust settings already built into the browser.

Without such trust between client and server you are open to man-in-the-middle attacks, where the attacker claims to be the server against the client and claims to be the client against the original server. In this case the encryption will be done between your client and the attacker, which then can decrypt the data, manipulate the data and forward the data encrypted to the real server. Such man-in-the-middle attacks are easily done in lot of networks (like public WLAN and most smaller LANs too).

While you might try to use a pre-shared secret to use instead of certificates it has the same problem: the secret somehow needs transferred between client and server and as long as this connection is open to manipulation (plain HTTP) the attacker can get and manipulate the shared secret. Even anonymous key exchange methods like Diffie-Hellmann can not protect against this.

Related Questions

I\'ve developed some software within my company and we have agreed that the futu
Question #659572
I\'ve developed the standard ELO implementation that can be found here, but the
Question #644361
I\'ve did what I could to work on this website that should focus on appealing to
Question #3835765
I\'ve did what I could to work on this website that should focus on appealing to
Question #3837090
I\'ve done 1-2, and I\'ve tracked the file in 3. I do not understand how to \"re
Question #3743390
I\'ve done a complex number class and have a demo it runs with but I need to cre
Question #3642616
I\'ve done countless hours of research, tried tens of programs, and have yet to
Question #661284
I\'ve done part 1 and 2 and now I\'m stuck on part 3. This pseudo code is going
Question #3527007
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'ve got a web based system where a specific site only shall be available on a
Next
I\'ve got an ASP Classic system that passes around sequential ids corresponding

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.