Page 1 of 1
Poor mans SSL
Posted: Thu Jun 21, 2007 1:18 pm
by alex.barylski
Has anyone ever successfully used a public key encryption library in JavaScript/PHP and used it to implement a poor mans SSL?
I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.
Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?
Edit: If you have used a JavaScript/PHP combo library please also indicate the URL so I can quickly and easily download it and begin using it, thanks

Posted: Thu Jun 21, 2007 1:26 pm
by Chris Corbyn
Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:
1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.
It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
Posted: Thu Jun 21, 2007 1:33 pm
by Oren
With one big minus: requires JavaScript
P.S Yes, there is a thread created by
Maugrim here on PHPDN.
Posted: Thu Jun 21, 2007 1:34 pm
by Chris Corbyn
Oren wrote:With one big minus: requires JavaScript
P.S Yes, there is a thread created by
Maugrim here on PHPDN.
I've implemeted it with graceful fallback to plain-text before. It just means users running JS get better security

Posted: Thu Jun 21, 2007 1:39 pm
by Oren
d11wtq wrote:It just means users running JS get better security

Yeah... I know. I just thought I'd mention that.
Edit: You can find his tutorial here:
viewtopic.php?t=38810
Posted: Thu Jun 21, 2007 1:53 pm
by alex.barylski
d11wtq wrote:Look at Challenge-Response authentication. I belive there was once a thread created here about it. You can easily do challenge-reponse with JS/PHP. Essentially:
1. Server produces a unique string (based on time and hostname maybe?) then adds it to a session var
2. Unique string sent to client as a challenge (hidden text field should suffice, it doesn't have to be secret)
3. Client reads user's password then combines it with the challenge, before finally hashing it, MD5 and sending only the hash back to the server (response)
4. Server performs the equiavelent hashing algorithm using the challenge it stored in the session and sees if it matches the response. If so, success.
It's just a basic way to eliminate plain-text passwords being sent. Easy to implement too.
Yea I remember that article by Maurgrim...only glanced over it though...didn't really get the point but you cleared that up nicely.
Thanks, I'll look into it.
Edit: After some more research sounds like SSL is the way to go. I really hate those dialog confirmation boxes but it sounds like you can generate your own self-signed certificate, in which case that dialog wouldn't popup.
I can move the script to a sub domain like:
https://login.domain.com and that should work nicely.
Now I just have to learn how to setup SSL

Posted: Thu Jun 21, 2007 2:30 pm
by RobertGonzalez
Why wouldn't you just go to GoDaddy and get a real SSL cert for like $17 and put that up. If you are really not concerned about security to the point that you are willing to roll your own cert.
And SSL typically runs out of port 443, not port 80, so there is usually a virtual server setup for *:443 that houses the secure files, so I don't think technically secure and insecure document would live in the same tree directory unless you point *:80 and *:443 to the same directory, which in my opinion you should not do.
Posted: Thu Jun 21, 2007 5:13 pm
by John Cartwright
You can generate your own self signed certs using cpanel.
Posted: Thu Jun 21, 2007 5:39 pm
by RobertGonzalez
You can do it at the CLI in linux too if you have the right tools (which most distros come with out of the box).
Posted: Thu Jun 21, 2007 7:25 pm
by alex.barylski
Hmmmm...makes sense. About the ports and all
I thought a signed cert. was simply to avoid that dialog popup and if someone checked it would be from a recognized "provider"?
In this case, it's simply to login users to an admin panel for their web sites. No need for validity in cert. names I just want to secure the connection for my servers own well being...
Re: Poor mans SSL
Posted: Thu Jun 21, 2007 7:45 pm
by Christopher
Hockey wrote:I want users to login but the login.php script is in the same directory as the root of the site. Obviously I don't want SSL protection on page request but strictly for that single file.
Can SSL be used on a single file despite residing in a directory which houses other (non-SSL required) pages?
Huh?!? No "protection" on the request, but "protection" on a file?!? What the heck are you talking about?!? And what does "protection" mean?
HTTPS is a scheme to transport HTTP over SSL. Because it is a scheme you specify in the URI which transport you want. That means one file/page or any mix. Stop trying to implement your own Protect-O-nator and configure you web server for HTTPS -- it is really easy to do and can be done for free. Good grief!