Kreez Kay wrote:
Still would like to know what protocol details I would need to get from the site administrators. The site is using HTTPS and
the certificate is associated with Verisign.
You need to know how the site expects the user name and password to be presented.
I am using a java program to connect to the site using HttpsScoket connection with the password added as a parameter
in cleartext.
I'm not sure this makes sense. If you mean you are using HttpsURLConnection then it does make sense but only if that is the protocol expected by the site. If not then ask the site administrators. HTTPS does not itself mandate how the password should be presented.
My idea was to add an extra layer of security by encrypting the password with public key and send.
So will the site expect the password to be encrypted with the public key and that the encrypted password has to decrypt it before checking against the password database?
can you give your ideas on this approach.
I don't see any advantage unless of course the site protocol dictates it. HTTPS is secure (as long as the recently discovered 'renegotiation flaw' fix has been applied) and you are unlikely to make it more secure by adding this extra level of encryption. Any attacker who gets access to the encrypted password can then just submit it directly - he doesn't need to know the actual password.