Brad Fitzpatrick (bradfitz) wrote in news,
Brad Fitzpatrick

Enhanced Security

As we mentioned in yesterday's State of the Goat: 2004 (which you should read, btw! :-)), we now support secure logins and password changes.

This is especially important with everybody increasingly using wireless networks, which are usually unencrypted. You don't want your passwords flying around unprotected over the air!

The two new security available are:

We now use SSL (encryption) not only for payment processing, but also to let you create new accounts and change your password: the two pages that would otherwise send your password across the net in the clear.

If your browser supports JavaScript (almost all do), then the login page won't send your password in the clear either. Instead, the server sends a "challenge" which your browser combines with your password with JavaScript and generates a "response" which can't be reversed. Your browser then sends that (instead of the password) and the server checks to see if the result is what it expects. If your browser can't do JavaScript, you can alternatively log in via SSL instead, and the interface will give you a link to do so.

All of this will happen automatically, so don't worry about doing anything special. If you have questions or find problems, contact support and we'll help you out.


(P.S. We'll be supporting HTTP Digest Auth and challenge/response in the interface handlers soon, too.....)

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

← Ctrl ← Alt
Ctrl → Alt →
← Ctrl ← Alt
Ctrl → Alt →