2

Possible Duplicate:
Can you secure a web app from FireSheep without using SSL?

Think of a typical web application where the users log in, and then the session is kept with a session key. Is it possible to protect it from all kinds of sniffing-based attacks without HTTPS or its equivalent?

Let's say I'm not worried about data transfer, only password or session theft.

Konrad Garus
  • 765
  • 1
  • 7
  • 8
  • Oops, I thought this seemed familiar, but I didnt have time to search before answering... Anyway, @Konrad, welcome to the site - these are healthy questions to ask (even if trivially wrong :) ), search around the site a bit and I'm sure you'll find more interesting questions! – AviD Jun 30 '11 at 18:01

1 Answers1

9

No.

Even assuming you're only referring to leakage of user passwords and/or session ids (btw "secure" includes a lot more than that)...

There is simply no secure way to send a user password over the Internet in the clear, without benefit of a proper encryption protocol. Without using TLS/SSL, you'd be forced to implement this yourself - which, at best, would be insecure.

Likewise, the user's session identifier would be equally exposed, if not restricted to HTTPS only.

That said, the above all assumes a website on the public internet.
There are certain other situations which can be secured without TLS/SSL:

  • Internal (e.g. corporate) website, that is protected using IPsec.
  • A local website, on the same machine that the user is browsing from, accessible over the loopback interface only (and dependant on the machine being in use by a single user, not e.g. a shared terminal server).
AviD
  • 72,708
  • 22
  • 137
  • 218
  • 2
    @konrad-garus I think the bigger question is also why would you not have TLS? Performance issues can be handled e.g. by putting in a hardware SSL accelerator. Certs are cheap. Even content delivery can be over HTTPS. Why would you not implement one of the simplest and cheapest security measures to protect data in transit? – Rakkhi Jun 30 '11 at 14:30
  • Why couldn't you use https for username and passwords and use an encrypted cookie or some sort of oauth to remember the user? Wouldn't that be secure? – j will Sep 09 '15 at 22:20
  • @jwill th OP specifically said no HTTPS... – AviD Sep 10 '15 at 06:51
  • @Rakkhi one use-case is that your server runs in an internal network, that does not have Internet access. Yet many users can connect to this server, so you want to use encryption to keep each users data private. IN this case there are no good options for TLS: https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network – TmTron May 11 '21 at 07:28