Correct me if I am wrong, but there is some security available without using SSL.
There are cookie generation routines that can function as shared secrets, are there not? The cookies can be "signed" in some fashion.
While they could well be sniffed, their value would be of little use since they are oneway hashes of a set of values including an IP address; if the attacker could not spoof the IP address sending the sniffed info the information would be useless.
See security-procs.tcl in /packages/acs-tcl/tcl and the other files with security in their names in that package.
Andrew, could you have a look at these procedures and give us your opinion on their usefulness?
