Re: Must we authenticate login forms (using SSL?)?

[Antoine Martin <antoine () nagafix co uk>]

On Thu, 2005-09-29 at 11:03 +0300, info () biledge com wrote:
> hi,
>
> we do authenticate login forms with SSL or not, UAE (users  are everywhere) is
> the valid one, the attack is unavoidable. kind of hit-and-hide game. then MITM is also = UITM.
I am surprised no-one has mentioned the use of client-side encryption
(ie: checksum the password with a random session seed - which can be
done in Javascript for example) as a way of reducing the risks of MITM.
The session can still be hijacked but at least the original password is
safer (as stealing it requires more work than just listening in).
Obviously, this relies on more than just plain html and needs other
safeguards to ensure the MITM can't make the client default to the
non-javascript version (if there is one), etc.

just my 2p

Antoine

> if we can create a 'secure system' among all servers in the world, then we may provide
> security. but if clauses are jokers sometimes, i think it is better to prefer the identity based 
> security systems. you can have SSL but user may not use https. if servers can control the use 
> of https, then i think things would be different in terms of security (now i feel very insecure !)..
> i am just thinking though..
>
> regards,
>
> billur c.