What's the best way to prevent packet sniffing without using SSL?

I want to secure the login page on my blog when my browser sends my password to开发者_如何学C the server (http) as I don't want anyone to steal it.

How would you do it?

---

As far as I am aware the only real way to do it from a production perspective would be to use javascript to encrypt the data sent in the form and then decrypt it at the other end.

There appear to be a couple of JS classes for this purpose, e.g. http://www.jcryption.org/ jCryption uses the public-key algorithm of RSA for the encryption.

Then a third party packet sniffer would have to know the decryption key to be able to do anything with the data.

I would recommend using SSL for all login's though! Personally I tunnel all my traffic over a VPN so I know it is slighty safer when in public places.

---

You could only allow the use of the login page over an SSH tunnel ;) However I think SSL is then much less burdensome.

The javascript suggestions I don't know what I should think about those. The key must be shared between client and server so this needs a secure key-exchange as well. That's not trivial at all and I suspect that only very few really good libraries for that are around. The basic suggestion to "encrypt" something with javascript will most certainly just fail.

---

Use JS to perform RSA. Encrypted it before posting it to the server. Then decrypt it when reach the server

---

If you ask me, I won't use non-SSL encrypted logins. As soon as sessions are involved I switch to SSL as session stealing without SSL is just too easy. Also SSL allows me to protect my pages with Basic-Auth, so I do not even need a session.

So perhaps best is to consider switching your Blog to SSL entirely. Note that for using SSL on your server you just need an SSL certificate. There is a company out there which offers a free ssl certificate for 0$ per year. Also note that Google and all major search engines can handle https pages without trouble.

I skip the 1000 lines of answer how to implement your own secure password scheme using JavaScript and AJAX over insecure lines, because this is difficult to implement.

Two options how to securely login without JavaScript and without SSL come into my mind:

• There is a cheap one time password USB device out there. You just plug it into the USB port, press the button, it creates an OTP and here you go. As it is an OTP it only is valid a single time, so no replay and no problem when it is sniffed.

• The other thing is OpenID which is used here on stackoverflow. OpenID does not need SSL between server and client. Note that this USB token above already is OpenID enabled as well.

Both ways offer trainloads of free libraries to implement it using PHP or other languages. It certainly is easier to implement than to create a properly designed and secure password scheme yourself over insecure lines.

One big caveat, however:

If you use sessions over insecure lines, and logins ususally use sessions, be sure to protect the session at least by the IP seen. This must be implemented on the server side. This way, if somebody steals the session Cookie the session cannot be (ab)used, provided that the thief does not share the same wLAN (or computer) as you.