Forum OpenACS Q&A: Re: Password in ClearText

Collapse
7: Re: Password in ClearText (response to 1)
Posted by Andrew Piskorski on 10/31/03 07:34 AM
Andrew S., in what was way is "SSL with OpenACS not security by default"? Are you complaining about the install docs, or you just don't like SSL, or what?

You can handle SSL roughly three ways with OpenACS:

  1. No SSL, everything is in the clear including the login page.

  2. SSL only on the login pages, secure, but has SSL only where you really need it. All ecommerce sites want this.

  3. SSL on the whole site (except a few particular URLs (e.g., "/SYSTEM/dbtest.tcl") which you have special reasons for leaving open). If you have secret or proprietary content all over your site (e.g., some company intranets...), this is what you want.

It would be good if the stock OpenACS install defaulted to choice 2, above. I'm not sure whether it does or not.

If you don't want to send password across the net in the clear, then using SSL on the login pages fixes that. If there is some other solution which both fixes that, and is preferable to SSL for some reason, please let us know. I'm not aware of any.

Collapse
10: Re: Password in ClearText (response to 7)
Posted by Lars Pind on 10/31/03 11:41 AM
Yes, we now default to login pages over SSL, when SSL is installed.
Collapse
12: Re: Password in ClearText (response to 10)
Posted by Jeff Davis on 10/31/03 01:05 PM
Keep in mind that if you want to have passwords which are not sent in plaintext and don't want to use ssl you will have to have some javascript to do it, which would mean people with javascript turned off would not be able to log in to your site (well at least as far as I can see).

Or we could use digest authentication as mentioned (and I think we should probably provide that as an option since it has some value -- one particularly useful way to use it is to password protect an entire dev site rather than count on the openacs authentication working in dev) but it does mean that the browser will then be responsible for popping up its standard password window. Digest authentication protects passwords but provides very little in the way of security beyond that (although if we issue more restrictive nonce's that is not strictly true). Also I think there are also browser support issues for digest authentication (ns4 doesn't do it iirc)...

I think the javascript hashing of the password is a waste and digest authentication has some value but it's not without some real drawbacks too.