logins with no SSL?

[Doug]

I noticed that there are many prominant sites out there that do not use
SSL for logins. 2 are www.blackplanet.com and www.blackboard.com

Although blackboard has something like this:

function validate_form(form) {

var passwd_enc = calcMD5(form.password.value);
var final_to_encode = passwd_enc + form.one_time_token.value
form.encoded_pw.value = calcMD5(final_to_encode);
form.password.value = "";

return true;

I'm not really sure what this means... My guess is that the website
hashes the password on the server and checks to see if it matches the
one hashed on the client side.

But my question is, is SSL needed? I am planning to do a site, and now,
I'm not even sure if I should use SSL because it takes some effort to
set it up, and some sites don't use it. Also, a related question: will
implementing logins via SSL slow down the server?

-d

 

[Toby A Inkster]

I'm not really sure what this means... My guess is that the website
hashes the password on the server and checks to see if it matches the
one hashed on the client side.

Yes, but this means that your login requires Javascript so you lose all
visitors who don't have Javascript available/enabled.

Imagine powering down your web server as the clock strikes 12 on New
Year's Eve/Day and then not turning it back on until 11am on the 17th of
February. According to recent statistics that's how many visitors you'll
lose by relying on Javascript: 13%.

 

[David Dorward]

I noticed that there are many prominant sites out there that do not use
SSL for logins.

My guess is that the website hashes the password on the server and checks
to see if it matches the one hashed on the client side.

Which is pretty useless. The combination of characters sent to the server is
can still be copied.

But my question is, is SSL needed?

What are the consequences of your security being broken? If they are
significant then SSL is needed.

Also, a related question: will implementing logins via SSL slow down the
server?

Yes... but probably not significantly.

 

[Charles Sweeney]

I noticed that there are many prominant sites out there that do not use
SSL for logins.

Yep, and just about EVERY site sends you passwords in plain email.

Spose it depends what you're doing, protecting the crown jewels or running
a forum?

I like many don't use SSL for logins, butI'm not looking after the crown
jewels.

As ever though, don't put anything precious on the web.

 

[Charles Sweeney]

Imagine powering down your web server as the clock strikes 12 on New
Year's Eve/Day and then not turning it back on until 11am on the 17th of
February. According to recent statistics that's how many visitors you'll
lose by relying on Javascript: 13%.

At least you would get peace for a while.

 

[Wayne]

Doug wrote:




Yes, but this means that your login requires Javascript so you lose all
visitors who don't have Javascript available/enabled.

Imagine powering down your web server as the clock strikes 12 on New
Year's Eve/Day and then not turning it back on until 11am on the 17th of
February. According to recent statistics that's how many visitors you'll
lose by relying on Javascript: 13%.

How did you arrive at the 13% value? A recent post listed

http://www.w3schools.com/browsers/browsers_stats.asp

as a resource for browser statistics and that site lists 92% in January
2004 as the number of browsers with javascript enabled. According to
the posted statistics, the number with javascript disabled has been
dropping steadily from 12% in October 2002 to 8% in January 2004.

Wayne

 

[Bill Logan]

Yep, and just about EVERY site sends you passwords in plain email.

Spose it depends what you're doing, protecting the crown jewels or running
a forum?

I like many don't use SSL for logins, butI'm not looking after the crown
jewels.

Heh, I 'always' look after the crown jewels - but then I dont know how to put
them on the web

 

[Toby A Inkster]

How did you arrive at the 13% value? A recent post listed
http://www.w3schools.com/browsers/browsers_stats.asp

Perhaps my stats are a little out of date then. So congratulations, you
get to power up your server a couple of weeks early. Still an awful lot of
visitors to lose.

 

[tlshell]

According to
the posted statistics, the number with javascript disabled has been
dropping steadily from 12% in October 2002 to 8% in January 2004.

I find javascript unreliable as very often my browser will not accept
it. It must be some quirk of my security settings as people swear up
and down that NS7.02 works on their javascripts with no problems.
JS Submit buttons are particularly a pain, probably because of all the
checking that is done via JS.

There are two sites I use that don't work, one is
"http://www.mysurvey.com/" where everything is fine except at the very
end when they are updating my stats. Fortunately, I've discovered that
it doesn't affect my interactions with them so I just blow that part
off and go merrily on my way. (They give points for answering surveys
which add up to money or prizes so it's worth the trouble.) The other
is "http://www.asianfoods.com/" where I have to manually enter
"https://www.asianfoodgrocer.com/index.asp?PageAction=CARTCHECKOUT" in
order to complete my order instead of hitting the "checkout" button.
Very odd, I'd say, but manageable.

It's the ones that *aren't* manageable that get me pissed off, and
then I may write insulting (or not) letters to the webmaster or other
company whipping post.

 

[TechnoHippie]

Heh, I 'always' look after the crown jewels - but then I dont know how
to put them on the web

Please, please don't tease

You could always x-face them.

 

[Bill Logan]

Please, please don't tease

You could always x-face them.

Always rely on you for a nybble Judy

 

[TechnoHippie]

Always rely on you for a nybble Judy

You just have to dangle the right bait ...

--
Judy
June 20th Derailed: http://derailed.technohippie.com/index.html
technohippie's blog: http://www.technohippie.com/blogs/blog.php?user=7
WhoisWho in AWW - Most read article at TechnoHippie's Trippy Triangle
http://www.technohippie.com/html/modules.php?name=News&file=article&sid=6

 

[Mark Parnell]

then I may write insulting (or not) letters to the webmaster or other
company whipping post.

Whereas most people would just leave and never come back, so the company
will never even know that they are losing customers.

 

[Doug]

Doug wrote:




Which is pretty useless. The combination of characters sent to the server is
can still be copied.

I thought it was pretty useful. The server sends a random number to the
client that both the client and server add to end of the password. So,
it never uses the same hash twice.

-d

 

[Doug]

Imagine powering down your web server as the clock strikes 12 on New
Year's Eve/Day and then not turning it back on until 11am on the 17th of
February. According to recent statistics that's how many visitors you'll
lose by relying on Javascript: 13%.

Perhaps I could do it two different ways... One for people who do not
have JavaScript, one for those who do. I'll look into that.

-d

 

[Doug]

Heh, I 'always' look after the crown jewels - but then I dont know how to put
them on the web

Well.... Speaking of that, check out this site: http://www.nameyournads.com

-d

 

[Matt Probert]

Well.... Speaking of that, check out this site: http://www.nameyournads.com

<g>

"This site developed and maintained by a guy with WAY too much time on
his hands"

He's honest!

Matt

 

[Matt Probert]

Well.... Speaking of that, check out this site: http://www.nameyournads.com

But he aint no mug....

"Basically, you pay a subscription fee of five bucks......You gain
access to the site for one year."

I don't think so!

Matt

 

[Neal]

Perhaps I could do it two different ways... One for people who do not
have JavaScript, one for those who do. I'll look into that.

-d

If you have a way that works for non-Js people, why not use just it?
Instead of twice the code and twice the work?

 

[Doug]

If you have a way that works for non-Js people, why not use just it?
Instead of twice the code and twice the work?

Well, it wouldn't really be twice the code... May be some extra
JavaScript code, but basically, the JavaScript would hash the password.
If JavaScript is not available, it would just do it the regular way.
I can cut and paste the JavaScript code to hash the password.

a hidden var in the form could be JavaScriptAvailable=true

it would be no big deal.

-d