------------------------------------------------ On Fri, 22 Aug 2003 05:48:14 +0000, Greenhalgh David <[EMAIL PROTECTED]> wrote:
> Hi All, > > I need to implement a form that is submitted securely. My client does > not have access to SSL on his host. I was thinking in terms of a > session cookie with a client side RC4 encrypt and a decrypt in the Perl > script. Do peoople here consider that to be a secure scenario, or is > there another method that you could recommend? The encryption needs to > be reversible. > It seems like it should be secure. I am assuming the "session cookie" would store the server's public key? or some such? My question would be how do you implement an RC4 encryption (or any encryption other than the built-in SSL) on the client side? Possibly a Java applet with the encryption built-in? I suppose you could implement an encryption algorithm in javascript and then just call that via a form's onSubmit, but how would you generate a random number (built into javascript?)... yikes thats a lot of javascript :-)... and at that point you would also have to generate a private key on the client side, and send the corresponding public key to the server... and this would have to be done each time which could get slow... The problem I see is implementation rather than security, well other than there are better encryption methods than RC4, but choosing the cipher is probably secondary, if you can get one to work you should be able to get any to. I saw in your other post about the limited IPs, if this really is a temp solution, the implementation difficulty still might suggest springing for extra hosting, or the similar until the upgrade is in place... http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
