• Announcements

    • boen_robot

      Guidelines and Netiquette   03/28/2017

      Posting Problems:   Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval: Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list. Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain. Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you. Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated. After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.   Topic Guidelines   Including the following information can expedite an accurate response from board members: Must be a Specific Problem or Question related to web design and development Include Code in Question (wrap with   for small blocks of code and for longer blocks   ) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible Content Guidelines   You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: No direct or indirect advertising or websites, forums, products, services No hijacking of posts (do not post your question in someone elses) Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks) Abusive, threatening, defamatory, racist, or obscene Viruses or any other harmful computer software False Information or libel Spam, chain letters, or Pyramid schemes Gambling or Illicit drugs Terrorism Hacking or cheating for internet/online games Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers Pornography, nudity, or sexual material of any kind Excessive profanity Invasive of privacy or impersonation of any person/entity Hacking materials or information Posting Tips   There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu. Use   for small snippets of code Use   for lengthy snippets of code Use   if your snippet is HTML (optional) Use   if your snippet is SQL (optional) Rules of Conduct   Be nice. There's no need for calling someone stupid if they ask an 'easy' question. Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum. Keep your language appropriate for the same reason above. Do not PM moderators for help on the forum. Post on the topic, or create a new one.   Spam:   Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages: it. Immediately. Give a clear reason, please, if the advertising is not evident. DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long. Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway. Thank you.       Images in signatures:   After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules: No animated images AT ALL. No matter the amount of animation. Maximum image widthxheight: 300x150 Maximum image (file) size: 15kb Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread. The same prohibited content goes for images as for posts. Lastly, use common sense. No lengthy signatures please. Save us some scrolling. Thank you.       Links in signatures:   Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature: w3schools links --> allowed w3.org links --> allowed browser links --> allowed html editor links --> allowed personal sites --> allowed tutorial sites competing with w3schools --> NOT allowed sites completely irrelevant to webprogramming and this forum --> NOT allowed   Thanks for understanding, and for taking the time to read this. ~W3Schools Modstaff~
WesleyA

SSL or encryption or both?

9 posts in this topic

I'm trying to create a secure inlog script in php/mysql.

 

I'm faced with many subjects I absolutely know nothing about so I was looking for some help.

 

I'm want to understand the route of a password from the browser to the database.

 

One thing that is very hazy to me is the difference between SSL and encryption.

 

My idea is that I could use javascript SHA 256 encryption at the client side.

 

 

 

But other sources online recommend SSL.

 

I was thinking, would it be possible to both use SSL as well as SHA encryption.

 

Now, I asked questions before here moslty solving script issues, but now, I look for an advice about what the possibilities are.

 

I have no script yet, because first I want to determine in which way the chances for security leaks are minimized.

 

is there anyone who can give more clarity about it?

Share this post


Link to post
Share on other sites

SSL is client side encryption, except that you're letting the browser handle it which leaves no room for error. You should have an SSL certificate if you're sending sensitive data. Javascript is not always available and there's a lot of room for error if you attempted to do encryption with it.

 

SHA 256 is not encryption, it's a hashing algorithm, which means the original data is lost. You should be doing that on the server-side right before saving the password to the database.

Share this post


Link to post
Share on other sites

The use of a certificate and forced SSL is the current "gold standard" for protecting net traffic. There are also other guidelines that you should follow. See...

 

http://php.net/manual/en/security.php

 

http://dev.mysql.com/doc/mysql-security-excerpt/5.1/en/

 

https://www.owasp.org/index.php/Cheat_Sheets#tab=Master_Cheat_Sheet

 

http://stackoverflow.com/questions/85816/how-can-i-force-users-to-access-my-page-over-https-instead-of-http

 

--edit--

 

The problem with the idea of another "layer" of encryption is that you would not want to give this job to Javascript or any other code that might potentially be modified by an attacker.

Share this post


Link to post
Share on other sites

SSL is client side encryption, except that you're letting the browser handle it which leaves no room for error. You should have an SSL certificate if you're sending sensitive data. Javascript is not always available and there's a lot of room for error if you attempted to do encryption with it.

 

SHA 256 is not encryption, it's a hashing algorithm, which means the original data is lost. You should be doing that on the server-side right before saving the password to the database.

 

So when using SSL; other encryption or hashing methods are not necessary?

Share this post


Link to post
Share on other sites

Sorry it's an old question. I had the topic put aside for a while but I want to go on with it.

 

I found this script online, it recommends to use SSL, but the whole setup is done with javascript encryption.

 

http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

 

My issue is that I dont know if I can trust a script developed by a third party. I can undestand a part of the script, but encryption is really complicated. (thouhg i have not tested or practiced any javascript encryption yet).

 

What does this encryption do in the example used in the link above and what does the author know about how it is done? How safe is javascript encryption of a third party anyway?

 

I hope people here can help me and explain these things in a more clear way to me.

Share this post


Link to post
Share on other sites

The only thing that hashing a password in Javascript accomplishes is that you will avoid a man-in-the-middle attack where the attacker would find out the original password and then could then try the same password on other sites. Using Javascript to hash the password does not protect your site at all, it only changes the password that an attacker needs to send to your site from a plain text password to a hashed password. It only protects other sites if someone is conducting a man-in-the-middle attack by spoofing the SSL information between the browser and the server. Otherwise, it doesn't really do anything. It's certainly not a replacement for SSL.

 

That article also seems to mix the terms "encryption" and "hashing", which are not the same thing. That password is hashed, not encrypted. This note, for example, uses the two terms as synonyms:

 

Note: even though we have encrypted the password so it is not sent in plain text, it is essential that you use the HTTPS protocol (TLS/SSL) when sending passwords in a production system. It cannot be stressed enough that simply hashing the password is not enough.

They are not the same thing, which kind of calls into question whether the person who wrote that knows the difference. The major difference is that something that is encrypted can be decrypted, but hashing is only 1-way. Hashing algorithms are specifically designed so that you cannot reliably retrieve the original data from the hash. If you could then it wouldn't be a hashing algorithm, it would be a broken encryption algorithm. All hashing algorithms produce output of a certain size, for example SHA-512 produces a 512-bit hash (represented as 128 hex characters). It is always 512 bits regardless of the size of the input text, which is one of the reasons why it is a 1-way hash. The output of an encryption function is based on the input, since it can be decrypted, so if you encrypt an entire book the encrypted data is going to be a lot longer than encrypting a single word, because the encrypted data needs to contain all of the information to reconstruct the original data. But the hashes would be the same length, because the original data is not included in the hash.

 

So, if you want to use that guide as a base to build your site then that's fine, because they also cover things like brute force protection and session hijacking, but don't assume that you can just skip SSL and not have any problems. Their note points out that it is still essential, it just doesn't explicitly state that their client-side password hashing is not a replacement for SSL.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now