Does this mean that the security of the login for LJ/DW is dependent upon the user being on a system that can/will run JavaScript?
That might explain why some folks' workplaces have LJ blocked for no discernable reason, if they don't allow the running of sites that use JS. Thanks, Alexis Carpenter principia at Dreamwidth principia_coh at LiveJournal ----- [email protected] wrote: | | > Just FYI, the nav bar thingies and the unencrypted login page still | > don't transmit your password in plaintext, even if there's no visible | > encryption going on, unless you don't have Javascript enabled. The | > login form uses JS to hash your password first, and only transmits | > the hash, not the password itself. (LJ does this, too.) | > | > Not quite what you were asking for, but still! | | OooOOooo. Very slick. I didn't know that. Thanks for mentioning it. | | Hmm. Does it do anything to protect against man-in-the-middle | grabbing of the encrypted token? I seem to recall hearing that LJ | does something elaborate to that end w/ JS (possibly dependent on | HTTPS). | | -- Siderea | _______________________________________________ | dw-discuss mailing list | [email protected] | http://lists.dwscoalition.org/cgi-bin/mailman/listinfo/dw-discuss
_______________________________________________ dw-discuss mailing list [email protected] http://lists.dwscoalition.org/cgi-bin/mailman/listinfo/dw-discuss
