logins with no SSL?

Discussion in 'HTML' started by Doug, Jun 20, 2004.

  1. Doug

    Doug Guest

    I noticed that there are many prominant sites out there that do not use
    SSL for logins. 2 are www.blackplanet.com and www.blackboard.com

    Although blackboard has something like this:

    function validate_form(form) {

    var passwd_enc = calcMD5(form.password.value);
    var final_to_encode = passwd_enc + form.one_time_token.value
    form.encoded_pw.value = calcMD5(final_to_encode);
    form.password.value = "";

    return true;

    I'm not really sure what this means... My guess is that the website
    hashes the password on the server and checks to see if it matches the
    one hashed on the client side.

    But my question is, is SSL needed? I am planning to do a site, and now,
    I'm not even sure if I should use SSL because it takes some effort to
    set it up, and some sites don't use it. Also, a related question: will
    implementing logins via SSL slow down the server?

    -d
     
    Doug, Jun 20, 2004
    #1
    1. Advertising

  2. Doug wrote:

    > I'm not really sure what this means... My guess is that the website
    > hashes the password on the server and checks to see if it matches the
    > one hashed on the client side.


    Yes, but this means that your login requires Javascript so you lose all
    visitors who don't have Javascript available/enabled.

    Imagine powering down your web server as the clock strikes 12 on New
    Year's Eve/Day and then not turning it back on until 11am on the 17th of
    February. According to recent statistics that's how many visitors you'll
    lose by relying on Javascript: 13%.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
     
    Toby A Inkster, Jun 20, 2004
    #2
    1. Advertising

  3. Doug wrote:

    > I noticed that there are many prominant sites out there that do not use
    > SSL for logins.


    > My guess is that the website hashes the password on the server and checks
    > to see if it matches the one hashed on the client side.


    Which is pretty useless. The combination of characters sent to the server is
    can still be copied.

    > But my question is, is SSL needed?


    What are the consequences of your security being broken? If they are
    significant then SSL is needed.

    > Also, a related question: will implementing logins via SSL slow down the
    > server?


    Yes... but probably not significantly.


    --
    David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
    Home is where the ~/.bashrc is
     
    David Dorward, Jun 20, 2004
    #3
  4. Doug wrote:

    > I noticed that there are many prominant sites out there that do not use
    > SSL for logins.


    Yep, and just about EVERY site sends you passwords in plain email.

    Spose it depends what you're doing, protecting the crown jewels or running
    a forum?

    I like many don't use SSL for logins, butI'm not looking after the crown
    jewels.

    As ever though, don't put anything precious on the web.

    --
    Charles Sweeney
    http://CharlesSweeney.com
     
    Charles Sweeney, Jun 20, 2004
    #4
  5. Toby A Inkster wrote:

    > Imagine powering down your web server as the clock strikes 12 on New
    > Year's Eve/Day and then not turning it back on until 11am on the 17th of
    > February. According to recent statistics that's how many visitors you'll
    > lose by relying on Javascript: 13%.


    At least you would get peace for a while.

    --
    Charles Sweeney
    http://CharlesSweeney.com
     
    Charles Sweeney, Jun 20, 2004
    #5
  6. Doug

    Wayne Guest

    Toby A Inkster wrote:
    > Doug wrote:
    >
    >
    >>I'm not really sure what this means... My guess is that the website
    >>hashes the password on the server and checks to see if it matches the
    >>one hashed on the client side.

    >
    >
    > Yes, but this means that your login requires Javascript so you lose all
    > visitors who don't have Javascript available/enabled.
    >
    > Imagine powering down your web server as the clock strikes 12 on New
    > Year's Eve/Day and then not turning it back on until 11am on the 17th of
    > February. According to recent statistics that's how many visitors you'll
    > lose by relying on Javascript: 13%.
    >


    How did you arrive at the 13% value? A recent post listed

    http://www.w3schools.com/browsers/browsers_stats.asp

    as a resource for browser statistics and that site lists 92% in January
    2004 as the number of browsers with javascript enabled. According to
    the posted statistics, the number with javascript disabled has been
    dropping steadily from 12% in October 2002 to 8% in January 2004.

    Wayne
     
    Wayne, Jun 20, 2004
    #6
  7. Doug

    Bill Logan Guest

    "Charles Sweeney" <> wrote in message
    news:Xns950E98E97BD8Bmecharlessweeneycom@130.133.1.4...
    > Doug wrote:
    >
    > > I noticed that there are many prominant sites out there that do not use
    > > SSL for logins.

    >
    > Yep, and just about EVERY site sends you passwords in plain email.
    >
    > Spose it depends what you're doing, protecting the crown jewels or running
    > a forum?
    >
    > I like many don't use SSL for logins, butI'm not looking after the crown
    > jewels.
    >

    Heh, I 'always' look after the crown jewels - but then I dont know how to put
    them on the web:)
     
    Bill Logan, Jun 20, 2004
    #7
  8. Wayne wrote:
    > Toby A Inkster wrote:
    >> Imagine powering down your web server as the clock strikes 12 on New
    >> Year's Eve/Day and then not turning it back on until 11am on the 17th of
    >> February. According to recent statistics that's how many visitors you'll
    >> lose by relying on Javascript: 13%.

    >
    > How did you arrive at the 13% value? A recent post listed
    > http://www.w3schools.com/browsers/browsers_stats.asp


    Perhaps my stats are a little out of date then. So congratulations, you
    get to power up your server a couple of weeks early. Still an awful lot of
    visitors to lose.

    --
    Toby A Inkster BSc (Hons) ARCS
    Contact Me - http://www.goddamn.co.uk/tobyink/?page=132
     
    Toby A Inkster, Jun 20, 2004
    #8
  9. Doug

    Guest

    On Sun, 20 Jun 2004 17:07:58 GMT, Wayne <> took a very
    strange rock and inscribed these words:

    >According to
    >the posted statistics, the number with javascript disabled has been
    >dropping steadily from 12% in October 2002 to 8% in January 2004.


    I find javascript unreliable as very often my browser will not accept
    it. It must be some quirk of my security settings as people swear up
    and down that NS7.02 works on their javascripts with no problems.
    JS Submit buttons are particularly a pain, probably because of all the
    checking that is done via JS.

    There are two sites I use that don't work, one is
    "http://www.mysurvey.com/" where everything is fine except at the very
    end when they are updating my stats. Fortunately, I've discovered that
    it doesn't affect my interactions with them so I just blow that part
    off and go merrily on my way. (They give points for answering surveys
    which add up to money or prizes so it's worth the trouble.) The other
    is "http://www.asianfoods.com/" where I have to manually enter
    "https://www.asianfoodgrocer.com/index.asp?PageAction=CARTCHECKOUT" in
    order to complete my order instead of hitting the "checkout" button.
    Very odd, I'd say, but manageable.

    It's the ones that *aren't* manageable that get me pissed off, and
    then I may write insulting (or not) letters to the webmaster or other
    company whipping post.


    --
    Therese Shellabarger / The Roving Reporter - Civis Mundi
    / http://tlshell.cnc.net/
     
    , Jun 20, 2004
    #9
  10. Doug

    TechnoHippie Guest

    TechnoHippie, Jun 20, 2004
    #10
  11. Doug

    Bill Logan Guest

    "TechnoHippie" <> wrote in message
    news:Xns950E7864F4B4753hippietechnohippie@207.69.154.206...
    > "Bill Logan" <> wrote in news:40d5cba4$:
    >
    > > Heh, I 'always' look after the crown jewels - but then I dont know how
    > > to put them on the web:)
    > >

    >
    > Please, please don't tease :)
    >
    > You could always x-face them.
    >

    Always rely on you for a nybble Judy:)
     
    Bill Logan, Jun 20, 2004
    #11
  12. Doug

    TechnoHippie Guest

    TechnoHippie, Jun 20, 2004
    #12
  13. Doug

    Mark Parnell Guest

    On 20 Jun 2004 14:36:48 EDT, <> declared in
    alt.html:

    > then I may write insulting (or not) letters to the webmaster or other
    > company whipping post.


    Whereas most people would just leave and never come back, so the company
    will never even know that they are losing customers.

    --
    Mark Parnell
    http://www.clarkecomputers.com.au
     
    Mark Parnell, Jun 21, 2004
    #13
  14. Doug

    Doug Guest

    David Dorward wrote:

    > Doug wrote:
    >
    >
    >>My guess is that the website hashes the password on the server and checks
    >>to see if it matches the one hashed on the client side.

    >
    >
    > Which is pretty useless. The combination of characters sent to the server is
    > can still be copied.


    I thought it was pretty useful. The server sends a random number to the
    client that both the client and server add to end of the password. So,
    it never uses the same hash twice.

    -d
     
    Doug, Jun 23, 2004
    #14
  15. Doug

    Doug Guest

    Toby A Inkster wrote:

    > Imagine powering down your web server as the clock strikes 12 on New
    > Year's Eve/Day and then not turning it back on until 11am on the 17th of
    > February. According to recent statistics that's how many visitors you'll
    > lose by relying on Javascript: 13%.


    Perhaps I could do it two different ways... One for people who do not
    have JavaScript, one for those who do. I'll look into that.

    -d
     
    Doug, Jun 23, 2004
    #15
  16. Doug

    Doug Guest

    Bill Logan wrote:

    > "Charles Sweeney" <> wrote in message
    > news:Xns950E98E97BD8Bmecharlessweeneycom@130.133.1.4...
    >
    > Heh, I 'always' look after the crown jewels - but then I dont know how to put
    > them on the web:)
    >


    Well.... Speaking of that, check out this site: http://www.nameyournads.com

    -d
     
    Doug, Jun 23, 2004
    #16
  17. Doug

    Matt Probert Guest

    On Wed, 23 Jun 2004 12:23:01 GMT Doug <> broke
    off from drinking a cup of tea at EarthLink Inc. --
    http://www.EarthLink.net to write:

    >
    >
    >Bill Logan wrote:
    >
    >> "Charles Sweeney" <> wrote in message
    >> news:Xns950E98E97BD8Bmecharlessweeneycom@130.133.1.4...
    >>
    >> Heh, I 'always' look after the crown jewels - but then I dont know how to put
    >> them on the web:)
    >>

    >
    >Well.... Speaking of that, check out this site: http://www.nameyournads.com
    >


    <g>

    "This site developed and maintained by a guy with WAY too much time on
    his hands"

    He's honest!

    Matt

    --
    Free searchable encyclopaedia content for your web site:
    http://www.probertencyclopaedia.com/xsearch.htm
     
    Matt Probert, Jun 23, 2004
    #17
  18. Doug

    Matt Probert Guest

    On Wed, 23 Jun 2004 12:23:01 GMT Doug <> broke
    off from drinking a cup of tea at EarthLink Inc. --
    http://www.EarthLink.net to write:

    >
    >
    >Bill Logan wrote:
    >
    >> "Charles Sweeney" <> wrote in message
    >> news:Xns950E98E97BD8Bmecharlessweeneycom@130.133.1.4...
    >>
    >> Heh, I 'always' look after the crown jewels - but then I dont know how to put
    >> them on the web:)
    >>

    >
    >Well.... Speaking of that, check out this site: http://www.nameyournads.com
    >


    But he aint no mug....

    "Basically, you pay a subscription fee of five bucks......You gain
    access to the site for one year."

    I don't think so!

    Matt

    --
    Free searchable encyclopaedia content for your web site:
    http://www.probertencyclopaedia.com/xsearch.htm
     
    Matt Probert, Jun 23, 2004
    #18
  19. Doug

    Neal Guest

    On Wed, 23 Jun 2004 12:18:07 GMT, Doug <> wrote:

    >
    >
    > Toby A Inkster wrote:
    >
    >> Imagine powering down your web server as the clock strikes 12 on New
    >> Year's Eve/Day and then not turning it back on until 11am on the 17th of
    >> February. According to recent statistics that's how many visitors you'll
    >> lose by relying on Javascript: 13%.

    >
    > Perhaps I could do it two different ways... One for people who do not
    > have JavaScript, one for those who do. I'll look into that.
    >
    > -d
    >


    If you have a way that works for non-Js people, why not use just it?
    Instead of twice the code and twice the work?
     
    Neal, Jun 23, 2004
    #19
  20. Doug

    Doug Guest

    Neal wrote:

    > On Wed, 23 Jun 2004 12:18:07 GMT, Doug <> wrote:
    >
    >>
    >>
    >> Toby A Inkster wrote:
    >>
    >>> Imagine powering down your web server as the clock strikes 12 on New
    >>> Year's Eve/Day and then not turning it back on until 11am on the 17th of
    >>> February. According to recent statistics that's how many visitors you'll
    >>> lose by relying on Javascript: 13%.

    >>
    >>
    >> Perhaps I could do it two different ways... One for people who do not
    >> have JavaScript, one for those who do. I'll look into that.
    >>
    >> -d
    >>

    >
    > If you have a way that works for non-Js people, why not use just it?
    > Instead of twice the code and twice the work?


    Well, it wouldn't really be twice the code... May be some extra
    JavaScript code, but basically, the JavaScript would hash the password.
    If JavaScript is not available, it would just do it the regular way.
    I can cut and paste the JavaScript code to hash the password.

    a hidden var in the form could be JavaScriptAvailable=true

    it would be no big deal.

    -d
     
    Doug, Jun 25, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Wilson

    Forced user logins

    Bill Wilson, Jul 18, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    369
    Bill Wilson
    Jul 19, 2003
  2. Replies:
    2
    Views:
    690
    amjathrahman
    Jul 20, 2006
  3. Sameer

    preventing multiple logins

    Sameer, Oct 20, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    403
    Sameer
    Oct 20, 2003
  4. Mike Curry

    Character Recognition - Logins Etc..

    Mike Curry, Aug 4, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    461
    Mike Curry
    Aug 4, 2004
  5. Conformix Sales

    Stopping multiple logins in ASP.Net

    Conformix Sales, Nov 7, 2004, in forum: ASP .Net
    Replies:
    10
    Views:
    4,116
Loading...

Share This Page