How can I encrypt data sent across my website from web forms without using SSL? Such as on Login the user enter "EmailAddress" & "Password" and Simply Registration Form in which the user creates a Password, FirstName, LastName, etc.
I see some sites allow user to register, login, and
retrieve a lost password without using a SSL connection "I Know anytime you deal with credit card info or very sensetive infoo you need a SSL.
Thank you in advance.

Unless you wish to re-write/add to the HTTP protocol and get all the browsers to support your addition, SSL is the option you get.

I suppose you could write some kind of encryption algorithm that runs on the client to encrypt the form fields before they are sent, but that wouldn't be all that useful because that code would be public and not too difficult to reverse engineer.

What is your opposition to SSL?

-Peter

I think I have a question that goes along with this. For example, if you go to hotmail.com the initial page does not appear to use encryption. When I submit my username and password, I see it flash to an https page and then it flashes back to an unencrypted page.

Is my username and password encrypted when it is sent to the https page???

I don't use hotmail so I'm not familiar with how they do this, but I imagine it's something like this:

You have a form on the page that has an action value starting with "https://". This tells the browser to post the form to a secure URL, and thus encrypt the request. That's really the only critical piece in this case. Everything else in the mail application (even the login form itself) can be un-encrypted because it contains no sensitive data.

-Peter

That is where I have always been fuzzy. I always assumed that until you were actually on a secure URL, the contents weren't encrypted - that is, that the client had no way of encrypting it. I guess that I assumed this because you don't see too many sites that do it this way, even for login information - start off with a normal page and post to a secure page. For example, Yahoo! doesn't seem to do this. They have a secure login page that starts off initially as an "https" page.

So what your (Peter, or anyone else who wants to chime in) saying is that as long as you post to the secure page, even from an insecure page, that the browser will encrypt the contents before they are sent? I have also assumed this because none of the articles that I have read about using SSL utilized the approach of posting from an unencrypted page to an encrypted page.

I haven't had to do any pages using SSL so this is kind of a new topic for me. Most of my pages are utilized internally using Windows authentication.

I'm pretty sure that this functions as we've described.

Here's the problem with it however: Most internet users aren't programmers and therefore don't know how the HTTP protocol works. When they see a login page that is not hanging off an https URL they get scared and think it's not secure. The login page is indeed not secure because technically it doesn't need to be, but socially it does. Of course, the irony then is that the login FORM could be secure, while the actual POST with your username and password in it could not and the user would never know.

-Peter

Thanks! This clears it up better for me. I assumed it was along this line with Hotmail because everyone knows that microsoft wouldn't do anything to compromise the security of their users ;). You're right about the social aspect. It makes people feel all warm and fuzzy when they see the padlock down at the bottom of Internet Explorer.

As I stated, all of the articles (grand total of 2) that I read always started at an https page so I never really second guessed it. I just assumed this was the methodology to use.

J

thank you all. I think SSL is the best option.
belete