Interview question ..

[lampstax]

Hey guys,

 

I had a job interview today and I got asked a question that has been bothering me.  I don't think I am getting the job anyways, but I want to know the answer.

 

We all know user login should be over SSL for security purposes.

 

But what if the host did not have SSL but the client do not want you to transmit the form input via plain text.  How can you do this via PHP ?

 

I was stumped.  I know you can do it via Javascript, but Javascript should never be used for security.  LOLs.

 

I've been Googling and so far I have found stuff like Zend Auth, which ultimately uses Javascript ANYWAYS.

 

Any suggestions ?

[bluejay002]

PHP can't do anything as long as you are still in the client-side, I guess. Well you can do some JS, that is, creating hash (with keys, implied with whatever way you can think of).

 

without SSL. I don't know that much then, unless with some JS and some PHP-side corrections. Aside from that I could use Flex instead (codes are not visible, well, not directly that is). Anyway, you can do it with JS but the data sent should not be final... PHP should do some finishing touches.

 

Somebody can give an input about this, I might be just intersted also.

[shelluk]

Surely you can't. PHP is server side. For the password to be encrypted from the client it needs to be done client side. That's PHP out the window...

 

As you say, use JS, but they've asked how to with PHP!

[bluejay002]

Surely you can't. PHP is server side. For the password to be encrypted from the client it needs to be done client side. That's PHP out the window...

 

As you say, use JS, but they've asked how to with PHP!

 

i was thinkin of the same, eheh. I think I wanna know how it was asked rather than answering the question. I think the interviewer is quite aware of that and maybe trying to get the reaction of the user and how he (if lampstax is a guy that is) would deal with the problem.

[lampstax]

Well, I thought it might be a trick question too.  But I just had to make sure.  I said that the only way I can think of is to have some sort of Javascript to encrypt before sending over, but you never can assume you know every trick in the book. 

 

There just might be some obscure HTTP protocol out there that would do it and some special PHP native function that you would use once in your lifetime to access said protocol.  LOL.

[KevinM1]

Hey guys,

 

I had a job interview today and I got asked a question that has been bothering me.   I don't think I am getting the job anyways, but I want to know the answer.

 

We all know user login should be over SSL for security purposes.

 

But what if the host did not have SSL but the client do not want you to transmit the form input via plain text.   How can you do this via PHP ?

 

I was stumped.   I know you can do it via Javascript, but Javascript should never be used for security.  LOLs.

 

I've been Googling and so far I have found stuff like Zend Auth, which ultimately uses Javascript ANYWAYS.

 

Any suggestions ?

 

Switch hosts?

 

In all seriousness, that is a toughy.  The only thing I've thought of, off the top of my head, is to use JavaScript to hash the inputed values before they're transmitted to the server.  Like you say, that's hardly a safe/secure way of doing things, though.  Does SSH require SSL?