hi, I thought that J2EE had HTTPS built-in... is it not the case? Karl Roberts wrote: > Hi > > Well the bad news is that they do send it unencrypted, imagine my > suprise when > snooping my own network I was able to catch my userid and password being > posted to > my Netscape Mail account! > > As we don't have access to HTTPS yet I am currently working on an > encryption > class. The Idea is that I have a servlet/JSP display a page with a login > applet, > The applet would encrypt the login info then base 64 encode it then send > it to the > login servlet which would reverse the process and decide whether to log > the user > in. > > The reason that I want to send the password via HTTP rather than though > a custom > socket is that user and server may be on the other side of a firewall > from each > other. > > The only trouble I'm having at present is how to initialize the applet > with it's > (unique) encryption key in a secure manner. One idea is to use the > session id and > IP address of the request which the applet uses to create it's own key > on the fly. > The servlet would know the same information and would be able to > generate it's > decrypt key also on the fly. Because the encrytion key is different > every time a spy can't just grab your encrypted password and resend it > to the login server. > > The trouble is that once a malicious spy intercepts the applet being > sent to the > browser, they could conceivably determine the method with which the > applet/servlet > create their keys and then by reading session info and IP spoofing could > decrypt > the user id and password. > > Any better ideas would be welcome. Another idea I had (although I've not > pursued > it as it would be slow) is to have the servlet compile a new applet with > a unique > key already in built and send this applet to the user. > > Karl > > "Bragg, Casey" wrote: > > > I'm looking for any ideas on how to communicate a password > > (entered into a browser form on a jsp page) to a servlet or bean securely. > > > > As far as I can tell, on a POST my password text is plainly exposed > > (unencrypted) as it traverses HTTP back to the server. This can't be > > the norm. How do Yahoo, Excite and others implement this when logging on? > > > > Thanks in advance for any input. > > > > Casey > > > > =========================================================================== > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". > > FAQs on JSP can be found at: > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.html > > =========================================================================== > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". > FAQs on JSP can be found at: > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.html
begin:vcard n:Pinte;Stanislas x-mozilla-html:FALSE adr:;;;;;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Stanislas Pinte end:vcard