Poor mans SSL

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Poor mans SSL

Post by alex.barylski »

Has anyone ever successfully used a public key encryption library in JavaScript/PHP and used it to implement a poor mans SSL?

I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.

Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?

Edit: If you have used a JavaScript/PHP combo library please also indicate the URL so I can quickly and easily download it and begin using it, thanks :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:

1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.

It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

With one big minus: requires JavaScript :(

P.S Yes, there is a thread created by Maugrim here on PHPDN.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Oren wrote:With one big minus: requires JavaScript :(

P.S Yes, there is a thread created by Maugrim here on PHPDN.
I've implemeted it with graceful fallback to plain-text before. It just means users running JS get better security :)
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

d11wtq wrote:It just means users running JS get better security :)
Yeah... I know. I just thought I'd mention that.

Edit: You can find his tutorial here: viewtopic.php?t=38810
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

d11wtq wrote:Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:

1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.

It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
Yea I remember that article by Maurgrim...only glanced over it though...didn't really get the point but you cleared that up nicely. :)

Thanks, I'll look into it.

Edit: After some more research sounds like SSL is the way to go. I really hate those dialog confirmation boxes but it sounds like you can generate your own self-signed certificate, in which case that dialog wouldn't popup. :)

I can move the script to a sub domain like: https://login.domain.com and that should work nicely. :)

Now I just have to learn how to setup SSL :P
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Why wouldn't you just go to GoDaddy and get a real SSL cert for like $17 and put that up. If you are really not concerned about security to the point that you are willing to roll your own cert.

And SSL typically runs out of port 443, not port 80, so there is usually a virtual server setup for *:443 that houses the secure files, so I don't think technically secure and insecure document would live in the same tree directory unless you point *:80 and *:443 to the same directory, which in my opinion you should not do.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You can generate your own self signed certs using cpanel.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You can do it at the CLI in linux too if you have the right tools (which most distros come with out of the box).
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Hmmmm...makes sense. About the ports and all :)

I thought a signed cert. was simply to avoid that dialog popup and if someone checked it would be from a recognized "provider"?

In this case, it's simply to login users to an admin panel for their web sites. No need for validity in cert. names I just want to secure the connection for my servers own well being...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Poor mans SSL

Post by Christopher »

Hockey wrote:I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.

Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?
Huh?!? No "protection" on the request, but "protection" on a file?!? What the heck are you talking about?!? And what does "protection" mean?

HTTPS is a scheme to transport HTTP over SSL. Because it is a scheme you specify in the URI which transport you want. That means one file/page or any mix. Stop trying to implement your own Protect-O-nator and configure you web server for HTTPS -- it is really easy to do and can be done for free. Good grief!
(#10850)
Post Reply