entp · November 4, 2010 02:23
diff --git a/gistfile1.txt b/gistfile1.txt
 One of the problems with requiring SSL for all pages in a site is that you can't rely on a lot of the benefits of browser caching. However, many sites DO require login over SSL.

 During login process, set a LocalStorage private key. This won't be visible to any attacker.

 Periodically, ask user to encrypt or hash something asymmetrically and send the (public) result back.

 If a user sends back the same result twice, or it wasn't encrypted correctly, log them out.

 This may require some way to track individual tabs - if a user opens a new tab/window, there's likely some way to track this. Maybe they can encrypt the last URL they opened, and set that as a cookie.
	One of the problems with requiring SSL for all pages in a site is that you can't rely on a lot of the benefits of browser caching. However, many sites DO require login over SSL.

	During login process, set a LocalStorage private key. This won't be visible to any attacker.

	Periodically, ask user to encrypt or hash something asymmetrically and send the (public) result back.

	If a user sends back the same result twice, or it wasn't encrypted correctly, log them out.

	This may require some way to track individual tabs - if a user opens a new tab/window, there's likely some way to track this. Maybe they can encrypt the last URL they opened, and set that as a cookie.