Skip to content
/ encryptedlogin Public

Proof of Concept Login Encryption to prevent login and passwords from being sent plain text over the wire when using non-secure HTTP

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kassah/encryptedlogin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
auth.php
auth.php
 
 
index.html
index.html
 
 
input.php
input.php
 
 

Repository files navigation

This is an attempt to make a wire-tap resistant login for regular HTTP logins.

This does not replace HTTPS, which is a third party verification of host as well as encrypting the entire message.

The only goal here is to prevent user/pass reveal to wire-taps, and to be resistant to replay attacks for cases where HTTPS is not practical.

This is STILL vulnerable to Man-in-the-middle attack and replay attacks made within 5 minutes.

You could fully eliminate replay attacks by providing one-time tokens to the browser, and on submission the token would be invalidated. If you did that, you could skip the IP and time check.

Hope this helps someone.

Thanks, William Lightning

About

Proof of Concept Login Encryption to prevent login and passwords from being sent plain text over the wire when using non-secure HTTP

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages