Brion Vibber wrote:
There was some muttering at the time that just using
HTTPS is safer and
it's not worth the bother. Agreement? Disagreement?
Probably HTTPS is safer, though JS challenges are easier to implement.
Still, the https server needs to send the user back to the 'normal' page
with some token, as it can't set the logged cookie.
The http protocol was enhaced with some response codes 'changing to
secure mode', so it might be feasible produce the login over https with
the same server but i don't know the state of current implementations
(both client and server), could be tricky.
As SUL will change the authentication schemas, close accounts, etc. it
IS the appropiate moment to change hashes on the 'joined' accounts, set
a login https server, etc.