Forum OpenACS Q&A: Re: Password in ClearText
You can handle SSL roughly three ways with OpenACS:
- No SSL, everything is in the clear including the login page.
- SSL only on the login pages, secure, but has SSL only where you
really need it. All ecommerce sites want this.
- SSL on the whole site (except a few particular URLs (e.g., "/SYSTEM/dbtest.tcl") which you have special reasons for leaving open). If you have secret or proprietary content all over your site (e.g., some company intranets...), this is what you want.
It would be good if the stock OpenACS install defaulted to choice 2, above. I'm not sure whether it does or not.
If you don't want to send password across the net in the clear, then using SSL on the login pages fixes that. If there is some other solution which both fixes that, and is preferable to SSL for some reason, please let us know. I'm not aware of any.
Or we could use digest authentication as mentioned (and I think we should probably provide that as an option since it has some value -- one particularly useful way to use it is to password protect an entire dev site rather than count on the openacs authentication working in dev) but it does mean that the browser will then be responsible for popping up its standard password window. Digest authentication protects passwords but provides very little in the way of security beyond that (although if we issue more restrictive nonce's that is not strictly true). Also I think there are also browser support issues for digest authentication (ns4 doesn't do it iirc)...