Many web sites have a user name and password login system, and do not
use SSL. As a consequence, users' passwords are transmitted over the
internet unencrypted. This puts them at risk, particularly if the user
is on a shared ethernet segment, or open wireless network.
pajhome.org.uk/crypt/md5/), which can be used to perform a challenge-
response login. This avoids passwords being transmitted unencrypted,
although the security is not as strong as SSL. A number of web sites
currently use this technique; for some years Yahoo did, although they
now have SSL login.
because few authentication libraries support it. It is possible for a
the details hidden from the application developer. In fact, it's quite
easy to implement, and there is a lot of guidance on my site.
So, this is a call to the authors of all web authentication libraries.
know, so I can link to you from my site. If you need any help
implementing it, drop me a line, I'll do what I can.
I think supporting this mode would be a big selling point for any
authentication library. And if support becomes widespread, the
internet becomes a little bit safer for everyone.
[This was rejected on the rails-core list, but I believe it is
relevant to the Rails community]