I didn't try this, but here's the approach I would follow.
The servlet can create a public/private key pair and send the public key to
the applet.
The applet uses this key to encrypt the userid-password and sends this to
the servlet.
I guess this is already pretty secure. No one will be able to snoop or
change the password.
BTW. does anybody know if it's secure to use the HTTP login (the popup
window) with https? or is the password still only BASE64 encoded?
Geert 'Darling' Van Damme
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Karl Roberts
> Sent: vrijdag 22 oktober 1999 11:42
> To: [EMAIL PROTECTED]
> Subject: Re: Secure passwords
>
>
> Hi
>
> Well the bad news is that they do send it unencrypted, imagine my
> suprise when
> snooping my own network I was able to catch my userid and password being
> posted to
> my Netscape Mail account!
>
> As we don't have access to HTTPS yet I am currently working on an
> encryption
> class. The Idea is that I have a servlet/JSP display a page with a login
> applet,
> The applet would encrypt the login info then base 64 encode it then send
> it to the
> login servlet which would reverse the process and decide whether to log
> the user
> in.
>
> The reason that I want to send the password via HTTP rather than though
> a custom
> socket is that user and server may be on the other side of a firewall
> from each
> other.
>
> The only trouble I'm having at present is how to initialize the applet
> with it's
> (unique) encryption key in a secure manner. One idea is to use the
> session id and
> IP address of the request which the applet uses to create it's own key
> on the fly.
> The servlet would know the same information and would be able to
> generate it's
> decrypt key also on the fly. Because the encrytion key is different
> every time a spy can't just grab your encrypted password and resend it
> to the login server.
>
> The trouble is that once a malicious spy intercepts the applet being
> sent to the
> browser, they could conceivably determine the method with which the
> applet/servlet
> create their keys and then by reading session info and IP spoofing could
> decrypt
> the user id and password.
>
> Any better ideas would be welcome. Another idea I had (although I've not
> pursued
> it as it would be slow) is to have the servlet compile a new applet with
> a unique
> key already in built and send this applet to the user.
>
> Karl
>
>
> "Bragg, Casey" wrote:
>
> > I'm looking for any ideas on how to communicate a password
> > (entered into a browser form on a jsp page) to a servlet or
> bean securely.
> >
> > As far as I can tell, on a POST my password text is plainly exposed
> > (unencrypted) as it traverses HTTP back to the server. This can't be
> > the norm. How do Yahoo, Excite and others implement this when
> logging on?
> >
> > Thanks in advance for any input.
> >
> > Casey
> >
> >
> ==================================================================
> =========
> > To unsubscribe: mailto [EMAIL PROTECTED] with body:
> "signoff JSP-INTEREST".
> > FAQs on JSP can be found at:
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
>
> ==================================================================
> =========
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> FAQs on JSP can be found at:
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.html
>
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
