January 2nd, 2004

Enhanced Security

As we mentioned in yesterday's State of the Goat: 2004 (which you should read, btw! :-)), we now support secure logins and password changes.

This is especially important with everybody increasingly using wireless networks, which are usually unencrypted. You don't want your passwords flying around unprotected over the air!

The two new security available are:

We now use SSL (encryption) not only for payment processing, but also to let you create new accounts and change your password: the two pages that would otherwise send your password across the net in the clear.

If your browser supports JavaScript (almost all do), then the login page won't send your password in the clear either. Instead, the server sends a "challenge" which your browser combines with your password with JavaScript and generates a "response" which can't be reversed. Your browser then sends that (instead of the password) and the server checks to see if the result is what it expects. If your browser can't do JavaScript, you can alternatively log in via SSL instead, and the interface will give you a link to do so.

All of this will happen automatically, so don't worry about doing anything special. If you have questions or find problems, contact support and we'll help you out.


(P.S. We'll be supporting HTTP Digest Auth and challenge/response in the interface handlers soon, too.....)