Mixing
![Is it ethical to exclude terminally ill employees from end-of-year layoffs? [closed]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjbpfN9tAutmK93bJRC3ZoROZzi2TJDms5n8_qJuhgE0a9b52OOHayv3NGT8igAdFL7byXNst-_1DZK5SjrIJ28_6RQPUpBROqMs5s6jo-ZsjX8kjDwfxJufIitH3TaQRXWaGSQKRQib-f/s72-c/1.jpg)
How to secure passwords over HTTP
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
Say my password is abc. I want to send it to the server over HTTP.
I could send it in plaintext and let the server hash it and compare it to the entries in its database, but then anyone that can see traffic over that connection would see the password in plain text.
So then I could hash it client-side and let the server just compare it without hashing since it's already hashed (or the server could even double hash, but no difference in this situation). But then again anyone that can see the traffic would see the password hashed, and then send the hashed password to the server and the server would accept it.
How do I send passwords over HTTP? Do I need to implement some encryption algorithm like RSA public key encryption? Or is this impossible?
encryption passwords hash http
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
3
down vote
favorite
Say my password is abc. I want to send it to the server over HTTP.
I could send it in plaintext and let the server hash it and compare it to the entries in its database, but then anyone that can see traffic over that connection would see the password in plain text.
So then I could hash it client-side and let the server just compare it without hashing since it's already hashed (or the server could even double hash, but no difference in this situation). But then again anyone that can see the traffic would see the password hashed, and then send the hashed password to the server and the server would accept it.
How do I send passwords over HTTP? Do I need to implement some encryption algorithm like RSA public key encryption? Or is this impossible?
encryption passwords hash http
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
Say my password is abc. I want to send it to the server over HTTP.
I could send it in plaintext and let the server hash it and compare it to the entries in its database, but then anyone that can see traffic over that connection would see the password in plain text.
So then I could hash it client-side and let the server just compare it without hashing since it's already hashed (or the server could even double hash, but no difference in this situation). But then again anyone that can see the traffic would see the password hashed, and then send the hashed password to the server and the server would accept it.
How do I send passwords over HTTP? Do I need to implement some encryption algorithm like RSA public key encryption? Or is this impossible?
encryption passwords hash http
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Say my password is abc. I want to send it to the server over HTTP.
I could send it in plaintext and let the server hash it and compare it to the entries in its database, but then anyone that can see traffic over that connection would see the password in plain text.
So then I could hash it client-side and let the server just compare it without hashing since it's already hashed (or the server could even double hash, but no difference in this situation). But then again anyone that can see the traffic would see the password hashed, and then send the hashed password to the server and the server would accept it.
How do I send passwords over HTTP? Do I need to implement some encryption algorithm like RSA public key encryption? Or is this impossible?
encryption passwords hash http
encryption passwords hash http
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
asked 3 hours ago
FireCubez
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
FireCubez
1183
asked 3 hours ago
FireCubez
1183
1183
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
FireCubez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago
add a comment |
1
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago
1
1
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago
add a comment |
4 Answers
4
active
oldest
votes
up vote
9
down vote
accepted
You can't.
To securely sent information over an unsecure channel, you need encryption.
Symmetric encryption is out, because you would first need to transport the key, which you can't do securely over an unsecure channel[*].
That leaves you with public key cryptography. You could of course roll your own, but you don't want to be a Dave, so that's out. Which leaves you with HTTPS.
[*] You can of course try to use a secure channel to exchange the key, for example physical exchange of a key. Then you can use secret key crypto, eg Kerberos.
answered 3 hours ago
tim
21.9k55690
add a comment |
up vote
4
down vote
TLS is really the only way to do it.
But what if I encrypt it with JavaScript?
The attacker can change the JavaScript you send to the client, or simply inject their own JavaScript that logs all information entered.
Then I'll use CSP and SRI to prevent the addition of scripts and the modification of my own scripts.
Glad you're using modern tools to help protect your site, but SRI in a non-secure context really only protects against the compromise of an external resource. An attacker can simply modify the CSP headers and SRI tags.
There's really no way to do this without using encryption from the beginning, and the only standard way to do that is to use TLS.
answered 3 hours ago
AndrolGenhald
8,33841729
add a comment |
up vote
0
down vote
Do I need to implement some encryption algorithm like RSA public key encryption?
If you're considering trying that, you may as well just go the full mile and use HTTPS. Since you don't seem to be an expert, "rolling your own" encryption will undoubtedly have misimplementations that render it insecure.
answered 1 hour ago
Brian Williams
1364
add a comment |
up vote
0
down vote
You can also get cheap SSL certs from various different providers, if your concern is price. Price, however, is linked to trustworthiness and the "security" of you keys. https://www.reddit.com/r/web_design/comments/4vjiec/bestcheapest_place_for_ssl_cert/
The only absolute way I can think of that would keep http traffic unencrypted is to VPN or tunnel to the server...
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
You can't.
To securely sent information over an unsecure channel, you need encryption.
Symmetric encryption is out, because you would first need to transport the key, which you can't do securely over an unsecure channel[*].
That leaves you with public key cryptography. You could of course roll your own, but you don't want to be a Dave, so that's out. Which leaves you with HTTPS.
[*] You can of course try to use a secure channel to exchange the key, for example physical exchange of a key. Then you can use secret key crypto, eg Kerberos.
answered 3 hours ago
tim
21.9k55690
add a comment |
up vote
9
down vote
accepted
You can't.
To securely sent information over an unsecure channel, you need encryption.
Symmetric encryption is out, because you would first need to transport the key, which you can't do securely over an unsecure channel[*].
That leaves you with public key cryptography. You could of course roll your own, but you don't want to be a Dave, so that's out. Which leaves you with HTTPS.
[*] You can of course try to use a secure channel to exchange the key, for example physical exchange of a key. Then you can use secret key crypto, eg Kerberos.
answered 3 hours ago
tim
21.9k55690
add a comment |
up vote
9
down vote
accepted
up vote
9
down vote
accepted
You can't.
To securely sent information over an unsecure channel, you need encryption.
Symmetric encryption is out, because you would first need to transport the key, which you can't do securely over an unsecure channel[*].
That leaves you with public key cryptography. You could of course roll your own, but you don't want to be a Dave, so that's out. Which leaves you with HTTPS.
[*] You can of course try to use a secure channel to exchange the key, for example physical exchange of a key. Then you can use secret key crypto, eg Kerberos.
answered 3 hours ago
tim
21.9k55690
You can't.
To securely sent information over an unsecure channel, you need encryption.
Symmetric encryption is out, because you would first need to transport the key, which you can't do securely over an unsecure channel[*].
That leaves you with public key cryptography. You could of course roll your own, but you don't want to be a Dave, so that's out. Which leaves you with HTTPS.
[*] You can of course try to use a secure channel to exchange the key, for example physical exchange of a key. Then you can use secret key crypto, eg Kerberos.
answered 3 hours ago
tim
21.9k55690
answered 3 hours ago
tim
21.9k55690
answered 3 hours ago
tim
21.9k55690
answered 3 hours ago
tim
21.9k55690
21.9k55690
add a comment |
add a comment |
up vote
4
down vote
TLS is really the only way to do it.
But what if I encrypt it with JavaScript?
The attacker can change the JavaScript you send to the client, or simply inject their own JavaScript that logs all information entered.
Then I'll use CSP and SRI to prevent the addition of scripts and the modification of my own scripts.
Glad you're using modern tools to help protect your site, but SRI in a non-secure context really only protects against the compromise of an external resource. An attacker can simply modify the CSP headers and SRI tags.
There's really no way to do this without using encryption from the beginning, and the only standard way to do that is to use TLS.
answered 3 hours ago
AndrolGenhald
8,33841729
add a comment |
up vote
4
down vote
TLS is really the only way to do it.
But what if I encrypt it with JavaScript?
The attacker can change the JavaScript you send to the client, or simply inject their own JavaScript that logs all information entered.
Then I'll use CSP and SRI to prevent the addition of scripts and the modification of my own scripts.
Glad you're using modern tools to help protect your site, but SRI in a non-secure context really only protects against the compromise of an external resource. An attacker can simply modify the CSP headers and SRI tags.
There's really no way to do this without using encryption from the beginning, and the only standard way to do that is to use TLS.
answered 3 hours ago
AndrolGenhald
8,33841729
add a comment |
up vote
4
down vote
up vote
4
down vote
TLS is really the only way to do it.
But what if I encrypt it with JavaScript?
The attacker can change the JavaScript you send to the client, or simply inject their own JavaScript that logs all information entered.
Then I'll use CSP and SRI to prevent the addition of scripts and the modification of my own scripts.
Glad you're using modern tools to help protect your site, but SRI in a non-secure context really only protects against the compromise of an external resource. An attacker can simply modify the CSP headers and SRI tags.
There's really no way to do this without using encryption from the beginning, and the only standard way to do that is to use TLS.
answered 3 hours ago
AndrolGenhald
8,33841729
TLS is really the only way to do it.
But what if I encrypt it with JavaScript?
The attacker can change the JavaScript you send to the client, or simply inject their own JavaScript that logs all information entered.
Then I'll use CSP and SRI to prevent the addition of scripts and the modification of my own scripts.
Glad you're using modern tools to help protect your site, but SRI in a non-secure context really only protects against the compromise of an external resource. An attacker can simply modify the CSP headers and SRI tags.
There's really no way to do this without using encryption from the beginning, and the only standard way to do that is to use TLS.
answered 3 hours ago
AndrolGenhald
8,33841729
answered 3 hours ago
AndrolGenhald
8,33841729
answered 3 hours ago
AndrolGenhald
8,33841729
answered 3 hours ago
AndrolGenhald
8,33841729
8,33841729
add a comment |
add a comment |
up vote
0
down vote
Do I need to implement some encryption algorithm like RSA public key encryption?
If you're considering trying that, you may as well just go the full mile and use HTTPS. Since you don't seem to be an expert, "rolling your own" encryption will undoubtedly have misimplementations that render it insecure.
answered 1 hour ago
Brian Williams
1364
add a comment |
up vote
0
down vote
Do I need to implement some encryption algorithm like RSA public key encryption?
If you're considering trying that, you may as well just go the full mile and use HTTPS. Since you don't seem to be an expert, "rolling your own" encryption will undoubtedly have misimplementations that render it insecure.
answered 1 hour ago
Brian Williams
1364
add a comment |
up vote
0
down vote
up vote
0
down vote
Do I need to implement some encryption algorithm like RSA public key encryption?
If you're considering trying that, you may as well just go the full mile and use HTTPS. Since you don't seem to be an expert, "rolling your own" encryption will undoubtedly have misimplementations that render it insecure.
answered 1 hour ago
Brian Williams
1364
Do I need to implement some encryption algorithm like RSA public key encryption?
If you're considering trying that, you may as well just go the full mile and use HTTPS. Since you don't seem to be an expert, "rolling your own" encryption will undoubtedly have misimplementations that render it insecure.
answered 1 hour ago
Brian Williams
1364
answered 1 hour ago
Brian Williams
1364
answered 1 hour ago
Brian Williams
1364
answered 1 hour ago
Brian Williams
1364
1364
add a comment |
add a comment |
up vote
0
down vote
You can also get cheap SSL certs from various different providers, if your concern is price. Price, however, is linked to trustworthiness and the "security" of you keys. https://www.reddit.com/r/web_design/comments/4vjiec/bestcheapest_place_for_ssl_cert/
The only absolute way I can think of that would keep http traffic unencrypted is to VPN or tunnel to the server...
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
You can also get cheap SSL certs from various different providers, if your concern is price. Price, however, is linked to trustworthiness and the "security" of you keys. https://www.reddit.com/r/web_design/comments/4vjiec/bestcheapest_place_for_ssl_cert/
The only absolute way I can think of that would keep http traffic unencrypted is to VPN or tunnel to the server...
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
up vote
0
down vote
You can also get cheap SSL certs from various different providers, if your concern is price. Price, however, is linked to trustworthiness and the "security" of you keys. https://www.reddit.com/r/web_design/comments/4vjiec/bestcheapest_place_for_ssl_cert/
The only absolute way I can think of that would keep http traffic unencrypted is to VPN or tunnel to the server...
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You can also get cheap SSL certs from various different providers, if your concern is price. Price, however, is linked to trustworthiness and the "security" of you keys. https://www.reddit.com/r/web_design/comments/4vjiec/bestcheapest_place_for_ssl_cert/
The only absolute way I can think of that would keep http traffic unencrypted is to VPN or tunnel to the server...
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 46 secs ago
Nielsvh
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 46 secs ago
Nielsvh
1011
answered 46 secs ago
Nielsvh
1011
1011
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Nielsvh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
FireCubez is a new contributor. Be nice, and check out our Code of Conduct.
FireCubez is a new contributor. Be nice, and check out our Code of Conduct.
FireCubez is a new contributor. Be nice, and check out our Code of Conduct.
FireCubez is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197330%2fhow-to-secure-passwords-over-http%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Why can't you just use TLS? There's really no other way to do it securely.
– AndrolGenhald
3 hours ago
@AndrolGenhald I could, this is just a proof of concept. If there's no other way to do it securely then that's the answer I was looking for. You should post it as an answer
– FireCubez
3 hours ago