How to send password securely over HTTP?

Kornelije Petak picture Kornelije Petak · Oct 17, 2009 · Viewed 132k times · Source

If on a login screen user submits a form with his username and password, the password is sent in plain text (even with POST, correct me if I am wrong).

So the question is what is the right way to protect the user and his password against the third party who might be eavesdropping on the communication data?

I am aware that HTTPS is asolution to the problem, but is there any way to ensure at least some level of security using standard HTTP protocol (POST request)? (perhaps using javascript in some way)

EDIT I may have left out some important things.

What I was about was a page - that is PHP generated login page, which is of course sent to user in HTTP GET request as a HTML file. There is no (@Jeremy Powel) connection established between server and the client so I can't create such handshaking protocol. And I want the complete process to be transparent to the user - he wants to submit a password, not deal with cryptography.

Thanks.

Answer

Jeremy Powell picture Jeremy Powell · Oct 17, 2009

Using HTTP with SSL will make your life much easier and you can rest at ease very smart people (smarter than me at least!) have scrutinized this method of confidential communication for years.