Today I’m thinking about questions of those website using http protocol.
When user logins in a http website, how to protect the password’s security.
The conclusion is it is not easy to do so, because I haven’t figured out a method to prevent the possibility of man-in-the-middle attack without a PKI infrastructure.
Maybe in the future, with the use of quantum cryptography, we can do that easily, but currently it’s hard.
Nevertheless, we still can make the process of login more securier.
One approach is to hash password, and only transmit the digest instead of the plain password.
To use this method, don’t forget to change salt frequently enough.
But now I want to use another approach, just for fun.