SSL Alternatives

Mon, 02/05/2007 - 16:39 — xoltar

I'd like to set up some kind of secure communication link between this server (or one like it) and my browser. For various (good, interesting) reasons, my hosting provider doesn't provide SSL for member sites, so SSL isn't an option. Does anyone else have this problem? I imagine there must be others who can't or won't use SSL, but still want secure communication. I've already started working on a JavaScript & Haskell solution in my head, but I wanted to see if anyone else has already solved the problem before I go too much farther. Anyone?

xoltar's blog
login or register to post comments

Comments

Tue, 02/06/2007 - 18:16 — Anonymous

RFC 2817

I should think that HTTP /1.1UPGRADE ought to work. Of course, it's not well supported by either browsers or HTTP servers.

Tue, 02/06/2007 - 03:17 — Anonymous

Avoid rolling your own if it's important

I'd avoid rolling your own security if you're actually worried about the data. If the data is not that important it would be an interesting exercise. Dojo has a decent javascript crypto library, combined with some kind of ajax calls and you could pass the data back and forth, coming up with some kind of defense against a man in the middle attack would be harder.

What i'd suggest, and what i do frequently is to use ssh to tunnel your traffic (it's possible your hosting provider doesn't provide ssh...but that would be pretty ridiculous). Just connect to your hosting server with ssh and tunnel port 80 and then browse to localhost with your browser.

Putty provides a single windows executable (no install) that fits on the smallest usb thumbdrive you can find and any *nix or mac box will already have the ssh client installed. I use this to securely connect to my machines from anywhere in the world.

Mon, 05/21/2007 - 04:10 — robert

Great idea

It is great idea for me too, Putty is the best Win32 enabled SSH client, outside of OpenSSH itself, Even though OpenSSH is dramatically faster (especially vs. pscp), Putty has a MUCH better key maintenance system.

software reviews

Tue, 02/06/2007 - 03:36 — xoltar

Good idea

I'm still interested in it as an exercise, but that's a good suggestion - certainly it would let me move on to other parts of the application I want to work on, without having to implement this secure communications layer first. Someday I might want to have anonymous access, so an ssh login wouldn't work. But for right now, where I'm the only user, ssh tunnels would be a great solution. Thanks!

Mon, 02/05/2007 - 18:09 — Michi

First off, how much

First off, how much information do you need to purvey? Are we talking about hashing a password in javascript before sending it to the serverside verification mechanism? Are we talking about fully bloomed encrypted almost everything? Reasonable answers will depend a lot on your usecase.

Moreover, this blog is REALLY not welldesigned with such a high hurdle for commenting. If you're worried about spam, look at things like akismet, or find a good captcha.

Tue, 02/06/2007 - 03:14 — xoltar

Fully bloomed encrypted almost everything

I'm looking to be able to work with sensitive information that I don't want other people to be able to snoop. Not just a password, but basically an SSL session without the SSL.

Sorry about the hurdles, I just picked an off-the-shelf blogging/cms tool, it doesn't seem to have a lot of options for that kind of thing pre-installed. I've enabled anonymous comments now, with an approval process. Logged in users can post without an approval.

User login

Navigation