- english
- deutsch
secure Login without https
- ↓ how
- ↓ secure?
- ↓ why?
- ↓ alternative solutions
- ↓ Links
table of contents
First: The
JS-SHA1-Login is not a simple "send username + SHA(password)"
It is more a Challenge-handshake authentication protocol.
↑ how #
Oversimplify procedure:
- client get a challenge and a salt from the server.
- user enters his name and a password.
- JavaScript generate a SHA1 hash from password + challenge + salt
- client send username + SHA1 hash to the server
The plaintext password would be not leave the client.
The hash that is sent to the server, is not a simple SHA1(password)!
The detailed procedure explaned here: JS-SHA-Login - pseudo code
The procedure works only with Javascript.
For getting challenge and salt we used AJAX (with jQuery).
For building the SHA1, we used the SHA1 JavaScript implementation by Paul Johnston.
↑ secure? #
JS-SHA1 Login is not really secure in comparison to https! e.g. the client can't validate if he really communicate with the server or with a Man-in-the-middle. JS-SHA1-Login does not protect you against an Session Hijacking
However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.
If you have https, you can combine it with JS-SHA1 login, similar to combine a digest auth with https.
More information: Warum JS-SHA-Login Sinn macht... (german only, sorry)
↑ why? #
Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.
The Problem: No Provider offers secured HTTP connection for little money :( We have been thinking, how can we still accomplish a secure authentication.
↑ alternative solutions #
- Digest access authentication (implementation in
django exist: django-digest):
- pro
- Browser implemented it, so no additional JavaScript needed
- cons
- HA1 must be saved on the server. The HA1 can be used for login, because: HA1 = MD5(username:realm:password)
- used old MD5 hash
- pro
↑ Links #
- SHA1 JavaScript implementation by Paul Johnston (BSD License)
- Python-Forum Threads (de):
- Digest auth als Alternative? (03.2010)
- Sinn oder Unsinn des PyLucids JS-SHA1-Login... (12.2006)
- Wie Session-Hijacking verhindern? (12.2006)
- html-LogIn: Passwort mit SHA1 (06.2005)
- Diskussion auf de.comp.lang.python (08.2006)