Securely send a Plain Text password?

Question

I\'m working on an application for iOS which will have the user fill out their password. The password will then be posted to a PHP page on my site using either POST or GET.

Answer 1

You could encrypt at the device and decrypt at the server, but if the data going across the wire is sensitive enough to warrant that much work, then IMHO, I believe you're better off just using https. It's tried, true, and established.

It's not perfect, mind you, and there have been successful attacks against older versions of it, but it is a heck of a lot better than "rolling your own" method of security.

Say your key gets compromized, for example: If you're using https with a cert from a trusted authority, then you just buy a new cert. HTe deveice, if it trusts the authority, will accept the new certificate. If you go your own route on it, then you have to update the keys not only on your web server, but at the client as well. No way would I want that sort of headache.

I'm not saying that the challenge is insurmountable. I am saying it may not be worth the effort when tools already exist.