Quote:
Originally Posted by Styx
But if you are protecting sensitive data, then not only would you want to use a good hash function, but you would also use SSL to protect your site from packet sniffing.
|
Yes, I forgot to mention that. It's silly to encrypt stuff in a database that is (hopefully) more or less secure from prying eyes, while the usernames, passwords, and what ever data that they protect are sent in the clear over the internet to be read by anyone along the way. And without SSL, you could just as easily be talking to a bogus server anyway. This is dangerously commonplace, however. For example, this website offers neither SSL for login nor browsing, which could pose a problem on untrusted networks such as a hotel. Sometimes I open up Wireshark just to see what goes by. That's the fun thing about WEP. There's only one key for all clients...
But there's really no excuse. You don't have to spend money to be "certified" by one of the big certificate authorities like Thawte. You can just as easily create a self-signed certificate which is just as secure but not as user friendly (it will keep popping up a warning until the users chooses to always trust that certificate). There are also free CAs available. One example is
StartCom. It is included in Firefox's certificate store by default, and I believe Konqueror and Safari too, meaning that those users will not get a warning message that they'd probably ignore and click through anyway (defeating the purpose). Internet Explorer however tends to require hefty...donations to be a "trusted" CA.