Hi
Well the bad news is that they do send it unencrypted, imagine my
suprise when
snooping my own network I was able to catch my userid and password being
posted to
my Netscape Mail account!
As we don't have access to HTTPS yet I am currently working on an
encryption
class. The Idea is that I have a servlet/JSP display a page with a login
applet,
The applet would encrypt the login info then base 64 encode it then send
it to the
login servlet which would reverse the process and decide whether to log
the user
in.
The reason that I want to send the password via HTTP rather than though
a custom
socket is that user and server may be on the other side of a firewall
from each
other.
The only trouble I'm having at present is how to initialize the applet
with it's
(unique) encryption key in a secure manner. One idea is to use the
session id and
IP address of the request which the applet uses to create it's own key
on the fly.
The servlet would know the same information and would be able to
generate it's
decrypt key also on the fly. Because the encrytion key is different
every time a spy can't just grab your encrypted password and resend it
to the login server.
The trouble is that once a malicious spy intercepts the applet being
sent to the
browser, they could conceivably determine the method with which the
applet/servlet
create their keys and then by reading session info and IP spoofing could
decrypt
the user id and password.
Any better ideas would be welcome. Another idea I had (although I've not
pursued
it as it would be slow) is to have the servlet compile a new applet with
a unique
key already in built and send this applet to the user.
Karl
"Bragg, Casey" wrote:
> I'm looking for any ideas on how to communicate a password
> (entered into a browser form on a jsp page) to a servlet or bean securely.
>
> As far as I can tell, on a POST my password text is plainly exposed
> (unencrypted) as it traverses HTTP back to the server. This can't be
> the norm. How do Yahoo, Excite and others implement this when logging on?
>
> Thanks in advance for any input.
>
> Casey
>
> ===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
