« Back to the Cybersecurity and Networking Forum

Ways to secure a website without https/tls stuff?

Old browsers usually don't support https protocol, so legacy http is necessary sometimes, however, how can be secured an http application without migrating to https? I think that for a social network or similar a good idea would be to add a 2 factor authentication and use strong passwords.

Report Topic

2 Replies

Sort Replies:

Reply by Mi cara


So this is a suuuuper old post but I'm new here and I see you're still semi active so I'll respond. If you're using http without https, at the end of the day you anyone that catches the traffic WILL be able to see the passwords and such credentials you send over, so strong credentials and 2FA won't help much if an attacker can intercept the data and use it themselves.

What I could think of is this: if the browser you're using isn't that old, you could try an SSH-like encryption, with a with a client-side public key to encrypt data, and a server-side private key to decrypt it. That way, any sensitive information going into the server won't be usable by anyone other than the server. This could go both ways with a client-side pair of keys to also protect data sent back from the server, but that would increase complexity.

Report Reply

Reply by delicious2003


The idea of encrypting the password with RSA keys is really interesting, but don't know if it would work for machines with Windows 9x systems. I was also thinking on another posibility, what if I encrypt the data with base64 using js in the client? My idea is implement ways to protect popular browsers released between 2007 and today. Another thing could be to allow http and https, and don't force https if the browser can't understand it. With Apache that should be easy to implement. Then I would need to allow SSL3 and newer versions, and allow some old cypher protocols for these browsers. It surely won't be the best encryption, but it might work for browsers I want to target.

Report Reply