LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-18-2008, 09:18 AM   #1
rholme
Member
 
Registered: May 2008
Posts: 47

Rep: Reputation: 15
short of HTTPS - any way to have a secure username/password on the web?


I know HTTPS is great but to do it right, you need a certificate ...
If the application data required security, this is THE way to go.

However all I really want to do is make sure that the username and password the client sends is protected. I am using Java and JSP on the linux server and yes I do know how to make Java call C if required, but don't see how that helps.

The goal is minimum footprint on the client. We could download an applet, but even that can cause some security systems to choke. Trying to avoid the web application getting any security software upset.
 
Old 05-18-2008, 12:57 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by rholme View Post
I know HTTPS is great but to do it right, you need a certificate ...
If the application data required security, this is THE way to go.

However all I really want to do is make sure that the username and password the client sends is protected. I am using Java and JSP on the linux server and yes I do know how to make Java call C if required, but don't see how that helps.

The goal is minimum footprint on the client. We could download an applet, but even that can cause some security systems to choke. Trying to avoid the web application getting any security software upset.
Since you know this could be handled perfectly by HTTP over SSL, why is it that you don't want to do it with HTTPS? If you provide the reasons for this it might make it easier for someone to suggest an alternative. That said, any public-key method you choose will require some sort of certification if you want your clients to be confident that they aren't getting bamboozled.

Last edited by win32sux; 05-18-2008 at 12:58 PM.
 
Old 05-18-2008, 01:13 PM   #3
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Rep: Reputation: 66
Yeah I don't see why you have a problem with HTTPS. You can generate your own certificate and use it for free. What you have to pay for is verification against a certificate authority. As long as you trust that the certificate hasn't been tampered with (visually looking at the fingerprint) then you know you're communication between the client and server is secure.
 
Old 05-19-2008, 06:10 AM   #4
rholme
Member
 
Registered: May 2008
Posts: 47

Original Poster
Rep: Reputation: 15
Well yes HTTPS may be what I must use. However as I said before, the only secure thing is the user and password. These need to be secure as internal folks can do more things - like change the site. I wanted to avoid having several certificates to do this (one public, the other two for staging development). Oh well, from your replies, I guess there is only one option.
 
Old 05-19-2008, 07:49 AM   #5
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Rep: Reputation: 66
HTTPS just provides the secure communication line between ALL clients and your server - whether they're supposed to be connecting or not. The username and password are then used by you to authenticate. The TLS/SSL layer ensures that the username/password are transferred securely. It is up to you to grant whichever access you want, depending on the credentials.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
passwd prompts for new password only once when a short password is entered powah Linux - Security 0 09-19-2007 04:20 PM
Unable to view secure websites - https Micro420 Linux - General 1 09-08-2006 03:20 AM
Setting up secure access to https helpme0904 Linux - Newbie 2 07-13-2005 04:08 PM
Web browser loses a secure (https) connection. How/where do I start investigating? hello321_1999 Linux - Networking 1 12-15-2004 11:47 AM
I am having problems connecting to secure sites (https) jflores1974 Linux - Networking 1 02-06-2004 03:22 PM


All times are GMT -5. The time now is 04:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration