Re: [PHP] for the security minded web developer - secure way to login?
OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. Tim Tim-Hinnerk Heuer http://www.ihostnz.com Jay London - My father would take me to the playground, and put me on mood swings. 2009/2/15 Michael A. Peters mpet...@mac.com Sudheer wrote: Michael A. Peters wrote: Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. Yeah it does, hopefully they fix it. What scares me is allowing sites I have no reason to trust as non malicious and have no reason to trust as properly secured against XSS injection to load scripts that execute on my machine. People who use Firefox may be scared by the absurd warning FireFox 3 uses (something I've complained about to them) - other than informing users of the issue and hoping some read it, not much I can do about that. Hopefully FireFox will fix the issue and do something like what opera does (except the cert for session if you just click OK, accept it permanently if you click the security tab and check a box first). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. There still are all the warnings. There are some cheap (and free) CA's that FireFox recognizes so it still is possible to use SSL and not have the firefox 3 warning hell, but things like linksys routers are still problematic. https://www.scientificlinux.org/ Demonstrates the problem in FireFox 3. They use a self-signed cert. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Hi All again, What makes it so expensive to have a certificate? I mean, wouldn't it be possible to setup a new authority that doesn't charge as much or nothing at all? Wouldn't the major browsers be willing to support an authority that is free or costs next to nothing? I pay about $200 a year for my virtual server, so if i only issue 200 certifcates and charge a dollar each i wouldn't loose money. I have a v-server on the Internet and wouldn't mind setting it up as a free authority or even one based on donations. Or is there going to be so much traffic and processing that it wouldn't be able to handle it? Cannot be that bad because it needs to compute the authentication only periodically (once a year or so for each) and each time a user hits a page it is only checked which would only be a couple of bytes traffic (per domain?). Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Fred Allen - California is a fine place to live - if you happen to be an orange. 2009/2/16 Michael A. Peters mpet...@mac.com German Geek wrote: OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. There still are all the warnings. There are some cheap (and free) CA's that FireFox recognizes so it still is possible to use SSL and not have the firefox 3 warning hell, but things like linksys routers are still problematic. https://www.scientificlinux.org/ Demonstrates the problem in FireFox 3. They use a self-signed cert.
[PHP] for the security minded web developer - secure way to login?
Hi All, A few months ago it came to my mind, that it might be possible to make non-https session (reasonably) secure by at least not letting people login that shouldn't because they might have sniffed the password from a user. Please let me know if you can find a loop hole in this process. I think it would be interesting for anybody on this list (or anybody really) who has a bit of knowlege and appreciation about security: Assumptions: The session variables are stored on the web server and not transferred to the client at all. The client has Javascript enabled. We have a secure hash function, say sha1. We can generate truly random numbers/strings with PHP which cannot be guessed call it salt. A session cannot be stolen. ... add more if needed. :-) So, we could on the server generate a random salt value and send that to the client along with the login form. On the client, when the user submits the form, we take the entered password value (with Javascript), hash it with our sha1 function, concatenate it with the salt and compute the hash value of the password together with the salt (again). All this in Javascript or whatever runs on the client. We then send this hash value, call it h(h(p) + s) (hash(hash(password) + salt)), to the server. Its useless for the sniffer, because the same value will never be sent twice, unless of course the user (password) and the salt are the same (or there is a collision, but we assumed its a secure hash function). We could make sure that a user doesn't get sent the same salt twice by storing them in the database when used and checking against them when it is generated. On the server we could do the same process with the stored hash of the password (assuming the hash of the password is stored), otherwise it becomes necessary to also send the actual salt of the password along with the login form and this would become even a little more complex. So, if h(p) is stored, we would simply compute h(h(p) + s) where s is the salt that was sent and stored in a session variable. Assuming we don't use a salt to store the password hash, this seems quite secure to me, don't you think? I mean, of course someone can still steel the session but it becomes a lot harder to figure out the password by sniffing. What do you think? If everybody agrees this is worth implementing, i might give it a go and make a library. Sorry this is not directly PHP related, but since i like this list, i thought i would share it with you. Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Joan Rivers - Never floss with a stranger.
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: What do you think? I think just use a flippin' ssl server and be done with it. When I go to a website that requires me to let them execute JavaScript I rarely go back. You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. For anything not e-commerce, using a self signed cert seems a lot more secure to me than having the browser grab some salt off your server, use javascript to encrypt the pass, and then sending it back. Public / Private key is the way to go, and self signed cert still gives you that, the only issue is the user get's a warning the first time they connect to the server - and have to manually accept your cert. You may make the password a little more difficult to sniff by sending some salt to the client and using js to make a password hash, but the bottom line is a user has no reason to trust a login is secure if you don't use SSL and every reason not to trust that it is secure, so use SSL if you want to provide secure login and don't cripple your site by having the audacity to require users to allow you to execute code on their machine in order to use your website. It will drive some users away. Not exactly what you asked, but it is my opinion. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: German Geek wrote: What do you think? I think just use a flippin' ssl server and be done with it. That was my thought too. You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. http://www.cacert.org/ /Per -- Per Jessen, Zürich (0.2°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
I think just use a flippin' ssl server and be done with it. ++$i When I go to a website that requires me to let them execute JavaScript I rarely go back. Many people do this, I hope that the OP realizes this. You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. For anything not e-commerce, using a self signed cert seems a lot more secure to me than having the browser grab some salt off your server, use javascript to encrypt the pass, and then sending it back. Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] for the security minded web developer - secure way to login?
Dotan Cohen wrote: Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. Yes I have. That's why on my site I have an instruction page - and a demonstration of how Opera does it, which is just as secure and less of a PITA, and a suggestion that users go ahead and try Opera - something I never did before FF messed up the self signed SSL process. The FF3 really bugged me - 1) The purpose of SSL is to provide public/private key encryption. 2) The purpose of signing is so that they know you are really you on future visits. 3) The purpose of certificate authorities is so that they know you are you on the first visit. Many web sites benefit from the first two without needing the complexity of the third, a concept FireFox seems to have lost. I don't need the paperwork hassle etc. for the few sites I run - I just need a way for a user to authenticate so I can give 'em a session cookie, no sensitive data is ever collected. Ah well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Of course it's not for banks etc. You could degrade gracefully when javascript is turned off to just sending the form and checking the password normally if the first test fails which would happen anyway wouldnt it? ... Mainly this was just ment to be a proof of concept. An alternative to SSL for those who have more time than $$ and not quite so high a security requirement. Of course SSL is better! Duh! Just wanted to give you guys something to think about. The password would not be given away like this would it? It just makes it a little more difficult for script kiddies. They would have to have a keylogger running or steal the session. :P Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Mike Ditka - If God had wanted man to play soccer, he wouldn't have given us arms. 2009/2/15 Michael A. Peters mpet...@mac.com Dotan Cohen wrote: Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. Yes I have. That's why on my site I have an instruction page - and a demonstration of how Opera does it, which is just as secure and less of a PITA, and a suggestion that users go ahead and try Opera - something I never did before FF messed up the self signed SSL process. The FF3 really bugged me - 1) The purpose of SSL is to provide public/private key encryption. 2) The purpose of signing is so that they know you are really you on future visits. 3) The purpose of certificate authorities is so that they know you are you on the first visit. Many web sites benefit from the first two without needing the complexity of the third, a concept FireFox seems to have lost. I don't need the paperwork hassle etc. for the few sites I run - I just need a way for a user to authenticate so I can give 'em a session cookie, no sensitive data is ever collected. Ah well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. I just realized Dotan Cohen already mentioned this. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Sudheer wrote: Michael A. Peters wrote: Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. Yeah it does, hopefully they fix it. What scares me is allowing sites I have no reason to trust as non malicious and have no reason to trust as properly secured against XSS injection to load scripts that execute on my machine. People who use Firefox may be scared by the absurd warning FireFox 3 uses (something I've complained about to them) - other than informing users of the issue and hoping some read it, not much I can do about that. Hopefully FireFox will fix the issue and do something like what opera does (except the cert for session if you just click OK, accept it permanently if you click the security tab and check a box first). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php