| Time |
S |
Nick |
Message |
| 06:41 |
|
|
mr_lou joined ##friendlyjava |
| 06:41 |
|
|
Jantz joined ##friendlyjava |
| 10:35 |
|
|
kirua joined ##friendlyjava |
| 12:13 |
|
|
Jantz joined ##friendlyjava |
| 15:09 |
|
mr_lou |
I've made a small webserver for my BD-J stuff.... any advice on adding SSL to something like that, when trafic will also be via a standard IP address? |
| 15:27 |
|
aditsu |
mr_lou: you mean like https://(ip address)? |
| 15:56 |
|
mr_lou |
Yup |
| 15:57 |
|
aditsu |
https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name |
| 16:03 |
|
mr_lou |
Yes I found that too actually. |
| 16:04 |
|
mr_lou |
The next problem is that I don't know pre-hand what the IP address will be.... |
| 16:04 |
|
mr_lou |
I can in theory be anything. |
| 16:05 |
|
mr_lou |
*It |
| 16:10 |
|
aditsu |
is it dynamic? |
| 16:17 |
|
mr_lou |
It's an administration interface for a display system. The IP will depend on the network it's installed in. So it'll always be different. |
| 16:18 |
|
mr_lou |
I would still like to offer secure trafic though. |
| 16:18 |
|
mr_lou |
So some sniffer can't just sniff the password. |
| 16:19 |
|
aditsu |
do you have any control over the client side? |
| 16:20 |
|
mr_lou |
What do you mean control? My server sends the HTML. That's about it. |
| 16:20 |
|
aditsu |
that's a no then |
| 16:22 |
|
aditsu |
well, then it's pretty much like a router, basically all the ones I've worked with come with a self-signed certificate that will give a warning when you connect |
| 16:22 |
|
aditsu |
or perhaps with a certificate for a domain name that doesn't match the ip |
| 16:37 |
|
mr_lou |
yea, that's true. It's basically the same as with office hardware too, like printers wiht a web interface. |
| 16:37 |
|
aditsu |
yeah, same thing |
| 16:38 |
|
mr_lou |
It is silly though, that users are warned about the certificates though. |
| 16:39 |
|
aditsu |
well, the issue is the possibility of a MITM attack |
| 16:40 |
|
aditsu |
https is designed to ensure both encryption and authentication of the server |
| 16:40 |
|
aditsu |
at the same time |
| 16:41 |
|
aditsu |
it would be nice if there was an "encryption-only" option for this kind of case |
| 16:42 |
|
aditsu |
but even without encryption, you can avoid transmitting the plain password |
| 16:43 |
|
aditsu |
do a salted hash on the client side and send that |
| 16:44 |
|
|
Jantz joined ##friendlyjava |
| 17:39 |
|
mr_lou |
aditsu, A salted hash wouldn't prevent someone sniffing the traffic, to simply send the same trafic. |
| 17:40 |
|
aditsu |
a different salt would be sent by the server every time |
| 17:41 |
|
mr_lou |
But can't that be sniffed too? |
| 17:41 |
|
aditsu |
yes, but after the client sends the hash, it's useless |
| 17:42 |
|
mr_lou |
Yes... I see that's how I have to do it. |
| 17:42 |
|
mr_lou |
thanks. |
| 18:58 |
|
|
Jantz_ joined ##friendlyjava |
| 23:12 |
|
|
Jantz joined ##friendlyjava |
