CGI question: safe passwords possible?

[Gerhard Häring]

Will Stuyvesant wrote:
>> > [Gerhard Häring]
>> > That's why I recommended to use digest authentication.
> 
>> [Paul Rubin] 
>> Javascript has better browser coverage than digest auth, ...
>> 
>> I really think the OP should say more about what he's doing.  If his
>> security requirements are bad enough that he needs to worry about
>> passwords being captured, he may have much worse problems that he
>> doesn't know about yet.
> 
> [...] I am building a prototype for an application.  For this
> I would very much like to do CGI programming with
> Python.  I already have most of it figured out, with
> Python and CGI, in a nice way, independent of host or
> operating system etc.  But the customer insists on
> "security". [...]

Ok. It's probably best to use secured HTTP (HTTPS), then. Getting a
site hosted via HTTPS *is* more expensive than plain HTTP, but if you
need it, you really need it :-)

If you're concerned about performance, you could only publish some
"pages" of your site via HTTPS, the rest via HTTP.

The main advantage that you could also explain to your customer is
that HTTPS is proven technology. If my bank uses it for online
banking, it should be good enough for you ;-)

Especially in the security field, I prefer to use proven technologies
instead of inventing my own schemes that I think *should be* secure.

> [...] Of course I would prefer Python to javascript, but I
> have to deal with a hosted environment, and later on
> even unknown hosts,

Any hoster should offer HTTPS.

> This all seems to lead to the conclusion that Python is
> useless for secure CGI programming, at least for the
> difficult first "authenticate and login" step, unless
> you are a service provider yourself.  

Python is no different than any other language here.

Gerhard
-- 
http://ghaering.de/