Computer Science Canada

[Tip] Secure Transmission

Author:  rdrake [ Sun May 28, 2006 11:10 pm ]
Post subject:  [Tip] Secure Transmission

You now (hopefully) have a fully accessible, standards-compliant website with a shiny layout that all can enjoy. Now what? Well, you might just want to add a secured part to your site.

Not quite as easy to secure as you may think. While password forms on sites may seem encrypted and secure, they really aren't. Anybody with a packet sniffer on your network can get your password unless you take action to prevent that.

There are quite a few ways you can keep the password secure during transmission. One simple method, although not foolproof is to hash the password on submission before submitting to the server. You can use something like an md5 hash to accomplish this. Search google for some scripts.

How is that method not 100% foolproof? Well a determined person could modify the page before it is sent to you, stripping out the javascript which performs this. Also, as said in one of my earlier tips, some clients do not have javascript or have it turned off.

Another (although not as simple) method would be to use SSL. This encrypts all traffic going to/from the server and your browser. Although keep in mind some countries do not allow encryption, and therefore using SSL is illegal.

After receiving the password or other secure information, the database or storage medium would need to store this data securely. I would recommend encrypting the data with a 10-14 character salt using your scripting language of choice, then using md5 hashing on the newly minted passsword. This should be more than enough to keep the password secure in the database.

Remember, the best security you can have is deception. Does the average user need to know you have a login page or secure area at all? Not usually, no. People will not try exploiting something unless they know about it. Do your brag about your system being unbreakable and tell the user exactly what versions of what software you're using? No. That's challenging them and making them want to break in all the more.

Just a few tips to hopefully help you along.