Announcement

Collapse
No announcement yet.

Security on Login page with no SSL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security on Login page with no SSL

    Hi, I will not be collecting Credit Card details on my site so have no need for SSL but is the Login Page secure in this senario?

    I quote the following from the security.pdf

    "Logged on Customers
    The account and password details for logged on customers are also protected.
    Passwords aren't stored on the web site, nor are they ever sent across the Internet.
    Actinic derives a signature using an MD5 (signature) of the password, so it is
    designed to be completely secure. Only this signature (from which you cannot
    derive the original password) is stored on the web site and sent from the buyer to the
    web site. The logon process also takes advantage of SSL to provide additional
    protection whenever an SSL certificate is enabled at the web site."

    This leads me to believe it's ok to collect user names and passes without SSL but with SSL is better.

    Thanks
    pnp

    #2
    Yes, the login page is secure enough without SSL however SSL adds a bit more security. When the login button is pressed the javascript code generates a hash of the name and password and this hash will be sent to the scripts. The algorithm used for password encryption makes impossible to restore the password from its encrypted hash. As the encryption is done in the browser the password will not be sent over the network (so there is no way to capture and compromise it).
    The only one issue with this method is the confidence. You know that it is secure but your users probably do not know. Some of the users are only confident in the security of your site when they are seeing the golden padlock at the right left corner of the browser (however it is less critical for login than credit card capture). E.g. Actinic's credit card capture application is much more secure than SSL but the customers are less confident due to the lack of the golden padlock.

    I hope this helps.

    Regards,
    Zoltan
    Actinic Software
    www.actinic.co.uk

    Comment


      #3
      Yes that helps... was not aware that actinic's credit card capture was stronger than SSL.

      Many Thanks

      Comment

      Working...
      X