Alexander Mueller wrote: > However HTTPS does not prevent that the Administrator of the > destination server is acquiring the actual plain text data.
So the .value of this input would already be hashed? Otherwise, this argument fails: the page can just grab the value and do whatever it wants with it. > Additionally it provides a semi-encryption as well > as replay protection to non-SSL connections. Weak encryption is almost worse than none: it provides a false sense of safety without an appreciable increase in security... -Boris _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
