I need an alternative to WSS which does not require any certificate for signing in

Question

I have ws working for sending user login details through a websocket. However I know that someone sniffing packets could capture the password, so I wanted to use wss instead. However I now understand, through playing around with my back end, that firstly a certificate is required for it to connect properly, and secondly, if i cause the self signed certificate warning to sho0w, afterwards the websockets will work with wss, but that is not good enoyugh for clients. From googling this issue, I have found that A self signed certificate will probalby not be good enough.

And all I want is to provide a user with a safe way to login..... So anyway I am now thinking it would be better to avoid having to use wss all together. I could use a conventional servlet for login but that will probably require a certificate too for https and I don't want to have to start paying people loads of money for certificates when my business might not even be that successful.

I have been thinking about other ways I could send the users password securely. One way might be to generate a hash in the browser. I know I could use some king of challenge along with a salt sent to the browser but I am not exactly sure how to do this and how safe this would be. I have the conventional login working with a salt, generating a hash with AES. Any suggestions?

I just want the users login details to be safe and I don't want to go down the route of certificates, it's annoying and unreliable.

Answer 1

Login should always happen through HTTPS. Not only the POST sending the user and password, but also the GET getting the login form, so the client can be sure is getting the right form and that his information will be posted to the right place.

You can send login details either by HTTPS or WSS if you want security. If you use a self-signed certificate you will provide transport security, but as the certificate is not signed by a CA, the client cannot be sure that the server with which is interacting is the right one, and that is why the browser shows a warning.

So, if you want security for your clients, you should get a signed certificate and use it for HTTPS and WSS (you can get them from 10 bucks per year in some places). Anything that you do in the browser is insecure by default, starting by the user not having certainty of being interacting with the right server and not a spoofed one.