Basic concepts in digital identity are message integrity, non- repudiation, and confidentiality.
The point using SSH/HTTPS is that it performs a key exchange using public key encryption and that critical to confidentiality (the password and information cannot be stolen in transit). Public key allows the two parties to agree on one encryption key without ever transferring that key. After this initial exchange all communications are encrypted, including the transmission of the password. Hashing (MD5, SHA, HMAC, etc) is a critical ingredient of integrity (together with encryption, it allow you to detect, if data has been tampered with). Hashing does nothing to protect your password in transit. You may as well send it in the clear. That jQuery plugin does not help at all the problem of transmitting the password. There are places where you get a free ssl certificate. Massimo > I'm going to try this:http://plugins.jquery.com/project/sha256 > > On Sep 29, 6:18 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > If not running over http session.secure() will prevent sessions from > > working and login will not work. > > > hashing with a salt can easily be attacked. > > > Massimo > > > On Sep 29, 6:11 pm, "mr.freeze" <nat...@freezable.com> wrote: > > > > Reddit seems to send a clear text password but Digg and a few others > > > seem to be hashing on the client using a token salt before sending. > > > I'm too cheap to pay for a unique IP and SSL so I will try that > > > first. > > > > Question: Does session.secure do anything useful when *not* running > > > over https? > > > > On Sep 29, 4:50 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > > I did not notice and that is bad. > > > > > If your app uses authentication you should have > > > > > session.secure() > > > > > and use HTTPS. The latter line will not accept sessions cookies > > > > without HTTPS. > > > > > Massimo > > > > > On Sep 29, 4:28 pm, "mr.freeze" <nat...@freezable.com> wrote: > > > > > > What are sites like reddit.com doing to secure their logins? > > > > > Anything? The login request goes over http according to firebug. I'm > > > > > just wondering if my wiki site needs https for login or http is > > > > > acceptable or if there is another trick I can use. > > > > > > Thanks! > > > > > Nathan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
