Brion Vibber wrote:
There was some muttering at the time that just using HTTPS is safer and it's not worth the bother. Agreement? Disagreement?
Probably HTTPS is safer, though JS challenges are easier to implement. Still, the https server needs to send the user back to the 'normal' page with some token, as it can't set the logged cookie. The http protocol was enhaced with some response codes 'changing to secure mode', so it might be feasible produce the login over https with the same server but i don't know the state of current implementations (both client and server), could be tricky.
As SUL will change the authentication schemas, close accounts, etc. it IS the appropiate moment to change hashes on the 'joined' accounts, set a login https server, etc.