-
September 10th, 2004, 05:28 PM
#1
secure login
Over in questions about AO I've been talking about how I have a problem with signing into AO from computers I don't trust. MsM recommended that I make a suggestion about it...so here it is. Would it be feasible for us to have an encrypted/secure login similar to the one hotmail/yahoo uses for email login?
-
September 11th, 2004, 07:17 PM
#2
Greetings:
Unfortunately, this couldn't be done without a LOT of modification to the site code. Because of cookies, server sessions and the like, you would have to interact with the site entirely in ssl after you've been logged in. The site is just not designed for that...
There are some changes that I had in the works before I sold the site that could be implemented to help make things a bit more secure though. Such as a user security center, that would let them globally log out all cookies no matter what box they're on, limiting logins to certain IPs or subnets, show a list of all IPs that have accessed the site under their account, etc. etc. Features like that would be very easy to integrate, and much of the data necessary to work them is already (or at least was) collected by the site.
-
September 11th, 2004, 07:56 PM
#3
Keezel: Still doesn't stop keyloggers unfortunately..... You have to trust the machine your on before the SSL makes the network you are on trustable......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 12th, 2004, 05:23 PM
#4
I've been using AO for over three years now, I think if someone really wanted to sniff my password they would have done so already.
Seriously though, I don't think SSL support for AO is really worth the hassle - it's not as if you're providing sensitive information such as credit card details. I guess we could have a a secure sign in option (so that your username/password wouldn't be transmitted in plaintext - shouldn't be too difficult to implement) but the question you have to ask is whether it provides any benefit and to JM whether it would produce a return on the cost of implementing it.
-
September 12th, 2004, 05:29 PM
#5
I've been using AO for over three years now, I think if someone really wanted to sniff my password they would have done so already.
Not only that, but anyone trying to sniff out anyone's account must on AO must really not have a life.
-
September 22nd, 2004, 03:57 PM
#6
I recall another request for a "delete all cookies" option, so that's been added, as an alternate logout option. Note that even for guest users, a cookie is set with a session hash and lastvisit timestamp. This means that immediately after you've removed all cookies, 2 new ones will be set containing that data. They won't be tied in any way to your account info.
So what cookies are removed?
- username
- password (which was encrypted when stored)
- lastvisit
- sessionhash
- threadview list
- h
I'm not mean. You're just a sissy.
-
September 30th, 2004, 04:18 PM
#7
Resurrecting the dead here, but this came in useful today. The admins in this one computer lab I use finally found their brains and disabled access to internet options in IE (other stuff had been disabled long ago) and I don't know of another way to delete cookies....and I *hate* leaving a trail with my usernames and passwords on computers. So...I just wanted to say: thanks!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|