HTTPS is used on www to provide secured encrypted message communication between the browser and the web server. Though we can not match HTTPS in terms of the security provided, but still we can provide some level of security to the users by encrypting the data sent over HTTP. We can easily encrypt the sensitive user data such as username and password, by using asynchronous/public-key encryption mechanism.
This can be achieved by using javascript or java-applets to encrypt the login data submitted by the users. This simple encryption ensures that an eavesdropper is not able to comprehend the information sent over the network. To prevent the replay attack we should add some unique server generated information to the user data before encryption.
The simplest example will be to use the GnuPG to generate public-private key pairs. On the client side ( i.e. for the browser pages ) we can use javascripts to encrypt the data and on the server side we can directly call the gpg utililty to obtain the original message from the encrypted data.
Filed under: Uncategorized
