On Oct 11, 2011, at 3:54 PM, Conan Kudo (ニール・ゴンパ) wrote: > 2011/10/11 Josh Juran <j...@iswifter.net> > >> To clarify, your browser sends your password to bugzilla in cleartext, since >> HTTPS isn't an option. > > Shouldn't it be possible to modify the login environment so that a salted > hash of the password is produced before sending it to the server, to > strengthen the security a little bit?
That protects the password itself, but not the privilege it guards. It also essentially makes Javascript a requirement, which currently it isn't. Josh