Ask HN: Sites using pop-up login windows without HTTPS? (e.g. Digg)
Am I missing something when I see sites like Digg not using HTTPS for login and passing plain text passwords? I thought you always needed HTTPS for login form submission.
The reason I'm asking is to figure out if we should be doing this for our startup. Any insight would be appreciated.
Here is a picture I took with FireBug showing Digg's login window: http://farm3.static.flickr.com/2488/3674881101_b946ecf39f_o.png
Thanks in advance!
7 comments
[ 3.2 ms ] story [ 27.5 ms ] threadAs has been mentioned, there are all sorts of issues with using https, and for sites where security isn't a huge concern (it's always important, but not as much for a site like HN vs. a bank), hashing client side and sending the data over plain http can be enough.
Even if you can intercept the person's hash and login to that site, you still don't know the user's original plaintext password. A lot of people re-use the same password throughout many (or all) of their online accounts. The attacker may be able to impersonate the user for the current site, but they don't have their actual password to gain access to other sites.
What I was talking about in my original post (but didn't properly explain) was using hashing as part of a larger algorithm for doing a challenge/response login. The idea is explained here: http://pajhome.org.uk/crypt/md5/auth.html
I agree that HTTPS is the way to go if security is a huge concern (like for banks), but for a simpler site you could get away with using CHAP and still provide a reasonable level of security.
We chose "Standard form | Secure form" as the verbiage but I've seen it several ways.