SSL is not security by default because by default most people won't use SSL at their OpenACS site. This web site here at openacs.org doesn't. At least, when I logged on here, a packet sniffer showed the password going by in the clear.
As I mentioned, there are some other problems with SSL that would apply even if SSL were the default.
RFC 2617 talks about a method for doing authentication without sending passwords in the clear. The method there is called "Digest Authentication." It's possible to use the core ideas of Digest Authentication in a relatively simple implementation without using Digest Authentication itself. These ideas should not be very hard to implement and are probably much easier to do than the cookie stuff that OpenACS does now (if OpenACS has the stuff that's described in section 4(?) of the openacs.org kernel manual that talks about security).
The vBulletin forums at vbulletin.com have a thread called "Major Password Security Weakness" that's about this topic. (This almost trivial weakness is unfortunately very common among content management systems and bulletin board software.) The second to last post in the thread at vbulletin.com has a description of how to do this kind of authentication. The current URL is http://www.vbulletin.com/forum/showthread.php?t=85515&page=3&pp=40
I will be glad to clarify parts of the discussion but
I am not gonna get into an argument about whether this should be done in OpenACS -- I just wanted to suggest it and see what the response was. If the developers aren't interested in implementing it, then that is fine and I can move along to the next CMS to look at.
