PDA

View Full Version : How can i make some calls with SSL



Dumbledore
6 Jan 2010, 10:10 PM
Hi there,

i use Ext 3.1 with the PHP Ext.Direct Implementation from Tommy Maintz. All runs fine but i searching for a way to do some calls with SSL (Login, change Account Data).

Is it possible to do this for some calls? Or must i set a second remote Provider?

Bye, Dumbledore

aconran
5 Feb 2010, 11:11 AM
Dumbledore -

If your site is already over SSL, your Ext.Direct calls will also go over ssl.

Max_nl
9 Feb 2010, 8:48 AM
i use Ext 3.1 with the PHP Ext.Direct Implementation from Tommy Maintz. All runs fine but i searching for a way to do some calls with SSL (Login, change Account Data).


If you only want to protect passwords, consider using HMAC SHA1 challenge/response instead.

http://pajhome.org.uk/crypt/md5/auth.html

stever
18 Feb 2010, 2:57 PM
I switched to using this:

http://server.denksoft.com/wordpress/web-development/secure-ajax-channel-srp-hermetic/

I use the Ext.direct calls for the challenge-response, and I'm currently extending the Ext.Direct on the client and server side to do signing and encryption of Ext.Direct calls, which turns out to be rather interesting and a bit of work...

Dumbledore
28 Feb 2010, 10:19 AM
thank you very much for your responses...

Currently i implemented SHA1 challenge/response but i will have a look to http://server.denksoft.com/wordpress...-srp-hermetic/.

Gunmen
2 Mar 2010, 10:01 AM
And what solution does Aaron prefer? Is SLL not the most safe? But all calls need to go over sll with ext... is a separed site solution posible for authentication or a https parameter? :-?

The Stanford’s Secure Remote Password protocol is not supported for all browsers:
http://srp.stanford.edu/demo/ :s

Max_nl
2 Mar 2010, 10:21 AM
Is SLL not the most safe?

Yes, SSL is most secure, because it allows the user to verify the authenticity of the website.
The user can verify he's directly connected to the real website, and not to the server of an attacker that sits in the middle.

But challenge/response is better than nothing, and works fine against passive attacks (traffic sniffing).

Gunmen
3 Mar 2010, 12:59 AM
Yes, SSL is most secure, because it allows the user to verify the authenticity of the website.
The user can verify he's directly connected to the real website, and not to the server of an attacker that sits in the middle.

But challenge/response is better than nothing, and works fine against passive attacks (traffic sniffing).

Thanks.

Do you, or someone else, have an example how to encrypt the username and password before sending to the server? And decrypt on server?

Thanks again!

Dumbledore
3 Mar 2010, 9:11 AM
gunmen, take a look here:

http://www.extjs.com/forum/showthread.php?p=133516