Jump to content

Recommended Posts

First of all, this is my first post here, I've been a coder for ages and learnt most of what I know from forums like this one, it's about time I started giving something back and I plan to, but for now, my first post is a question (sorry)...

 

    I've been looking for a way to ensure 100% secure access to an admin area of a website... I've previously used php mysql / cookie based authentication and also htpasswd, each being about as secure as the other (the first being 95% secure but much prettier in that you can use a page with nice css, the second being 99% secure but just gives you an ugly authentication box)... neither of these are as secure as using encryption though, and I'd like to implement some kind of encryption for the form data that carries the user's password to the server.

 

    I was glad to find out about OpenSSL and GNUpg on wikipedia and even more glad that my hosting provider offers GNUpg, but though I can find PHP scripts for encrypting using GNUpg and methods for generating keys on my server, all I really seem to have found is ways of encrypting data. What I still don't know is (the basic definitions!);-

 

      1. Can we use it for protecting regular html pages where the client is a regular browser

          (i.e. is it just like SSL, or is it strictly for transactions where the client has GNUpg installed also)?

 

      2. If so, how? Does a script generate the handshake transaction using GNUpg's shell, or does it invoke the server to require a key for certain files?

 

      3. Does the protocol change to https, on port 443?

 

Thanks to any who can help with this. I was amazed to see there is only one search result in these forums for "gnupg"! Maybe I'm the only one here who doesn't get it  :-\

 

P.S. someone's bound to post a link with "found the answer in .03 seconds", but I really have been searching and reading all sorts of stuff, I know a lot about the encryption process now, I just haven't fully understood any of the definitions of what GNUpg is and whether I can implement it for users at large

 

Thanks

GNUpg (an implementation of PGP) is usually used for digitally signing and encrypting emails, and I've never heard of it being used for anything but that - but I can see how it could be useful. If several conditions are met, I think it could be done, but I'm not sure how possible it is to meet these conditions.

 

Condition 1: You can make your web server send PGP-encrypted data. There are perl modules that use PGP to encrypt data, and with mod_perl, I think you could find a way to send PGP-encrypted data.

 

Condition 2: The clients can decrypt PGP-encrypted data. That means that the private key would have be distributed, which is always a security risk. It also means that you'd have to find a client that supports decrypting PGP-encrypted data. A quick search of the Mozilla extensions library indicates that there's nothing yet created for this.

Thanks, neylitalo.  I guess there's no alternative to SSL certificates and handing over money for them, then?

 

You never have to pay for an SSL certificate. You can always generate your own, but it won't be trusted by browsers. If you visit www.cacert.org, you can get a completely free SSL certificate for your domain that is expected to be trusted by browsers in the near future.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.