On Fri, Mar 25, 2011 at 12:19 PM, Neil Kandalgaonkar <[email protected]> wrote: > I added a comment to the talk page. > > http://www.mediawiki.org/wiki/User_talk:Akshay.agarwal > > Long story short, we had this discussion in IRC... some people find the > concept of AJAX login really alarming from a security perspective, but I > think there could (COULD) be some ways to compromise there. There is a > little-used concept called Digest Authentication that we could implement > in Javascript. >
I don't find the concept alarming. The concept of AJAX login is perfectly fine, when used on a full https site, or a full http site. It is insecure when used on an http page where the login page is using https. If there is a man in the middle, the form can be rewritten to send the username/password to the attacker, who then relays the information to the wiki. I don't see how digest authentication will solve this. Digest authentication protects against replay attacks, but I don't believe it can protect against man in the middle attacks. Respectfully, Ryan Lane _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
