> I don't find the concept alarming. The concept of AJAX login is > perfectly fine, when used on a full https site, or a full http site. > > It is insecure when used on an http page where the login page is using > https. If there is a man in the middle, the form can be rewritten to > send the username/password to the attacker, who then relays the > information to the wiki. I don't see how digest authentication will > solve this. Digest authentication protects against replay attacks, but > I don't believe it can protect against man in the middle attacks. >
I should follow this up with: as discussed on the channel, I love the idea of someone working on AJAX login support. It is perfectly useable by a bunch of third parties, and would be a great addition to the software. Respectfully, Ryan Lane _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
