Brion Vibber wrote:
There was some muttering at the time that just using HTTPS is safer and it's not worth the bother. Agreement? Disagreement?
Absolutely agreed. Not being able to deal with the computational cost of SSL is the only convincing reason to try and use JavaScript hackery to do a more secure login, and I don't think that's a valid concern at Wikipedia these days. If you find a designated SSL login machine becomes CPU-bound, I can recommend PCI SSL accelerator cards that'll be happy to take over the work.