Any authentication method can be combined with protecting the system using HTTPS. In most cases, accessing a system using HTTPS can be considered the most secure protection. However, both programmers who implement such a system and users who visit it should be aware of what HTTPS can do, and what it cannot.


The only purpose of HTTPS is to protect against traffic interception.

HTTPS is necessary only when traffic interception is strongly undesirable or likely. The use of this protocol is especially recommended when a user's login and password are sent unencrypted every time the user accesses a document. An example of such a situation is HTTP Basic authentication.

There are a few other cases, in which it is necessary to use authentication through HTTPS with the users' private keys and asymmetric encryption algorithms. This authentication system is the most effective of the systems described earlier. However, it is the most difficult to implement.

As a more advanced variant of authentication system, private keys can be stored on smart cards and other specialized devices designed for this purpose. A correctly implemented authentication system based on public or private keys would provide maximum protection against traffic interception and unauthorized reading of files on the server. In some cases, even unlimited access to the client won't allow an attacker to obtain the information necessary for successful authentication and authorization.

Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
Year: 2005
Pages: 77 © 2008-2017.
If you may any questions please contact us: