On Tue, Nov 08, 2005 at 12:29:56PM -0500, Pat Collins wrote:
True, but not everybody can use ssl/tls. What about some kind of authentication checking where the site would keep track of where you have logged in from and upon detection of a change would prompt you with a question that only you would know or send you an email that you would have to respond to before you could gain access? If a user is really so concerned about security, he/she should just get SSL. Saying "if someone has no access to SSL/TLS, but still wants security" sounds like saying "I want my house burglar-safe, but do not want to pay for good safe locks".
I dislike the idea of using Javascript for hashing. It smells a lot like security through obscurity. And it brings a lot of new problems. I think we should simply re-use the existing tools. SSL and TLS. Ber