Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
May 24, 2012, 09:39:04 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Securing sign-ons  (Read 4092 times)
MrPhil
Senior Moderator
Berserker Poster
*****
Offline Offline

Posts: 5215
« on: February 11, 2011, 07:15:10 PM »
A couple of security-related issues have been bugging me of late, and I was wondering if anyone has a good answer...

1. When you access a "password protected" directory via .htaccess, it asks you for your ID and password in a popup. Is this data transmitted in the clear, or is it encrypted in some manner (similar to SSL)? If it's in the clear, it doesn't seem like very useful (or strong) security.

2. Why is it that most forums seem to ask you for your password on an unprotected (non-SSL) page? I would consider an account password to be quite sensitive information, and would prefer to enter or change it on an SSL-protected page, even if that requires an extra step. The same goes for store customer account and similar sign-ons. Whenever I have to use unencrypted WiFi, that's a big concern, since anyone can listen in on the traffic.
Logged
Visit My Site

E-mail Me
 
-= From the ashes shall rise a sooty tern =-
wektech
Master Jedi
*****
Offline Offline

Posts: 1031



WWW
« Reply #1 on: February 14, 2011, 02:00:00 PM »
I confirmed via a bit of research that passwords for password protected directories are transmitted in the clear. As such the security provided is very basic and not suitable for protecting any type of sensitive data. I imagine the reason that most forums do not use ssl is the added cost and difficulty of implementing. You must purchase a certificate as well as a dedicated IP address to even begin to adequately implement ssl.
Logged
Money savings tips for real people by real people!
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: