Results 1 to 2 of 2
Hi, I have the following situation. I have created a login webpage (login.html) which is hosted on apache 2 on my Red Hat machine (RHEL 5.6) The login username and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-30-2012 #1
- Join Date
- Mar 2012
OpenSSL and CGI-C
Hi, I have the following situation.
I have created a login webpage (login.html) which is hosted on apache 2 on my Red Hat machine (RHEL 5.6)
The login username and password are validated using CGI-C which is the server side scripting in this case. As soon as the user enters his username and password, they are sent to the cgi script, after verification of details, the user is then directed to index.html
The thing is that it is not safe. Any hacker sitting in the middle of the network can crack the password. So i would like to know, how can i secure the username and password.
Other option can be OpenSSL. Is it the correct way of securing user name and password, provided that i am using CGI-C for server side validation and my username and password are stored in a text file on the server.
Any help would be greatly appreciated!
- 06-06-2012 #2
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
SSL would be a reasonable option. After the browser and your server exchange credentials using public key encrypting, the server sends an encrypted symmetric key that the server and browser subsequently use to encrypt the data stream during the life of the connection. The next time they connect, a new symmetric key (usually a 256bit AES key) is generated. The possibility of breaking this is very small (life of universe time to break small). In any case, your concern is valid. It is a very bad idea to send user id and password credentials unencrypted over the internet, or even a local network if it isn't otherwise secured.
FWIW, the public/private keys used to exchange credentials and encrypt the symmetric session key is VERY secure - usually 1024-2048 bits long. However, it is very inefficient, so it is only used to exchange the session key. The symmetric session key (as mentioned, usually a 256 bit AES key) is still very strong, much more efficient in the encrypting/decryption process (easy to do in software), and since it is changed frequently, not an important vulnerability.Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!