Forum OpenACS Q&A: Re: Password in ClearText

Collapse
29: Re: Password in ClearText (response to 1)
Posted by Andrew S on
Thanks Stan.  I had seen those links.

Some reasons for defaulting to sending passwords not in the clear instead of using SSL are:

- SSL requires an expenditure of time and energy on the part of the person setting up the site,
- it is easy to mess up the installation of SSL,
- many people will simply not install SSL, so if the default is to send passwords in clear text, there will be lots of OpenACS installations sending passwords in clear text (and many site owners will not even know it).

If JavaScript isn't widely implemented in browsers, then it's not a good solution.  I thought though that JavaScript was in fact widely implemented.  For example, vBulletin, a widely used bulletin board package, sends md5 hashes of the password from the client and it appears to me that it must use JavaScript or something like it in order to compute the hash.  (What vBulletin does is very weak and is only a small step up from sending passwords in the clear.)

Collapse
Posted by bill kellerman on
it is the responsibility of the the web site owner to understand the level of security in the operating system and applications.  anyone who "will simply not install ssl" is actively taking a risk with the security of their data, and laziness or lack of technical skill is not an excuse.

my issue isn't whether or not digest authentication is a good or useful solution with benefit, my issue is your insinuation that openacs is an inferior product because it doesn't use digest authentication.  this is not true.

as far as javascript, not everyone enables it or uses a modern browser.  i work for a university and we are required to cater to the end user's lowest common denominator so ssl is our best option for secure connections.

besides...  the average user knows to look for the "https" up in the browser url of good web sites when submitting security-sensitive data.

if digest really is a benefit, then to implement in aolserver/oacs while either minimizing client requirements or with the ability to disable it for the option of standard ssl would be fine.