security Q: If i dont have an SSL certificate...

deezzer

If i dont have an SSL certificate:

Does that mean that when my users register or login,

and they type in their passwords,

even though my HTML script says for passwords to be "passwords",

they can still be intercepted while being sent along the network

from the client to the server?

Thanks

dinger

Without an SSL certificate any info sent from client to server via an HTML-based form is sent to the server in plain text. Even info in 'password' text boxes (the ones that replace the text with stars) is sent to the server in plain text. The only advantage password boxes have is that they show stars instead of text so that someone else watching you type cant find out your password.

It is possible that (using a packet sniffer) usernames/passwords/other info can be intercepted.

What SSL does is it encrypts the data so that it's not in plain text and so anyone 'listening in' would only get garbled info NOT the user's username/password/CC#/SS#/etc.

IMHO any site that deals with sensitive info such as Credit card info, social security numbers or the such nees to have an SSL certificate. No one in their right mind would submit that info via a non-encrypted form.

Long story short - if you're planning on handling credit card transactions purchase the SSL certificate.

deezzer

Thank you.

scrupul0us

if ur really concerned... just have javascript MD5 anything b4 sending it to the server (since JS is client side)

http://pajhome.org.uk/crypt/md5/