Enhanced Security
As we mentioned in yesterday's State of the Goat: 2004 (which you should read, btw! :-)), we now support secure logins and password changes.

This is especially important with everybody increasingly using wireless networks, which are usually unencrypted. You don't want your passwords flying around unprotected over the air!

The two new security available are:

SSL
We now use SSL (encryption) not only for payment processing, but also to let you create new accounts and change your password: the two pages that would otherwise send your password across the net in the clear.

Challenge/Response
If your browser supports JavaScript (almost all do), then the login page won't send your password in the clear either. Instead, the server sends a "challenge" which your browser combines with your password with JavaScript and generates a "response" which can't be reversed. Your browser then sends that (instead of the password) and the server checks to see if the result is what it expects. If your browser can't do JavaScript, you can alternatively log in via SSL instead, and the interface will give you a link to do so.

All of this will happen automatically, so don't worry about doing anything special. If you have questions or find problems, contact support and we'll help you out.

Enjoy!

(P.S. We'll be supporting HTTP Digest Auth and challenge/response in the interface handlers soon, too.....)

(Post a new comment)

	morallybass 2004-01-02 05:42 pm UTC (link)
	Are there analogous updates to the XMLRPC and CGI interfaces the majority of the 3rd party clients use? (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2004-01-02 05:45 pm UTC (Expand)

(no subject) - bradfitz, 2004-01-03 01:02 am UTC (Expand)

Query... - ashwinb, 2004-01-03 08:23 am UTC (Expand)

	Just a note to say mizcrank 2004-01-02 05:45 pm UTC (link)
	You guys rule. That is all. (Reply to this)

	squisheroo 2004-01-02 05:45 pm UTC (link)
	ooh, goodie. =oD! (Reply to this)

	voodooboi 2004-01-02 05:46 pm UTC (link)
	Awesome changes, SSI is much preferred in some people's opinions,.. Bring on the State of The Llama, I say. :D (Reply to this)(Thread)(Expand)

(no subject) - jsnrhs, 2004-01-02 06:02 pm UTC (Expand)

Correction: - zerotime, 2004-01-02 09:16 pm UTC (Expand)

Re: Correction: - voodooboi, 2004-01-02 09:32 pm UTC (Expand)

Re: Correction: - superbrava, 2004-01-08 02:32 am UTC (Expand)

Re: Correction: - zerotime, 2004-01-08 03:00 am UTC (Expand)

Re: Correction: - superbrava, 2004-01-08 03:33 am UTC (Expand)

Re: Correction: - zerotime, 2004-01-08 03:41 am UTC (Expand)

(no subject) - girlonthewing6, 2004-01-07 02:35 pm UTC (Expand)

(no subject) - glowing_fish, 2004-01-08 04:31 am UTC (Expand)

	mia76 2004-01-02 05:46 pm UTC (link)
	oh... so THAT'S why I was logged off a couple of minutes ago when I set account to never log out. And when I logged in a again it said I typed in the wrong password twice. Thanks! ;) LJ rocks! Yay! :P (Reply to this)(Thread)(Expand)

(no subject) - restriction, 2004-01-02 05:48 pm UTC (Expand)

(Deleted post)

(no subject) - bradfitz, 2004-01-02 06:04 pm UTC (Expand)

(no subject) - restriction, 2004-01-02 06:31 pm UTC (Expand)

(no subject) - rahaeli, 2004-01-02 08:53 pm UTC (Expand)

(no subject) - restriction, 2004-01-02 09:01 pm UTC (Expand)

(no subject) - mia76, 2004-01-02 07:35 pm UTC (Expand)

(no subject) - razorbuzz, 2004-01-03 02:04 am UTC (Expand)

(no subject) - sundaymelody, 2004-01-03 04:32 pm UTC (Expand)

(no subject) - razorbuzz, 2004-01-03 06:47 pm UTC (Expand)

(no subject) - sundaymelody, 2004-01-03 06:49 pm UTC (Expand)

(no subject) - razorbuzz, 2004-01-03 07:24 pm UTC (Expand)

(no subject) - sundaymelody, 2004-01-03 07:24 pm UTC (Expand)

(no subject) - razorbuzz, 2004-01-03 07:29 pm UTC (Expand)

hey look - thedanastory, 2004-01-04 06:43 am UTC (Expand)

(no subject) - restriction, 2004-01-04 06:34 pm UTC (Expand)

Re: - bang, 2004-02-03 09:29 am UTC (Expand)

(no subject) - petulant, 2004-01-03 01:11 pm UTC (Expand)

(no subject) - restriction, 2004-01-02 06:07 pm UTC (Expand)

(no subject) - mia76, 2004-01-02 07:43 pm UTC (Expand)

(no subject) - restriction, 2004-01-02 07:53 pm UTC (Expand)

(no subject) - mia76, 2004-01-03 06:40 pm UTC (Expand)

(no subject) - elfing, 2004-01-03 10:23 pm UTC (Expand)

(no subject) - gracious, 2004-01-04 06:21 pm UTC (Expand)

(no subject) - restriction, 2004-01-04 06:38 pm UTC (Expand)

(no subject) - bloody_jewel, 2004-01-09 11:06 am UTC (Expand)

(no subject) - restriction, 2004-01-11 03:36 am UTC (Expand)

confused - rufe, 2004-01-03 12:46 am UTC (Expand)

Re: confused - kyilkitt, 2004-01-04 01:47 am UTC (Expand)

(no subject) - superbrava, 2004-01-08 02:35 am UTC (Expand)

	benigma 2004-01-02 05:48 pm UTC (link)
	Sounds cool. I'd sort of wish that you guys used LJ-CUTs.. :P (Reply to this)

	spacebird 2004-01-02 05:51 pm UTC (link)
	Excellent work, as I've come to expect. The Challenge/Response system was a good idea to add too. (Reply to this)

	desuete 2004-01-02 05:51 pm UTC (link)
	Ahhh, is this why cookies were a little off last night? I had to keep logging in. (Reply to this)(Thread)(Expand)

(no subject) - mizcrank, 2004-01-02 06:06 pm UTC (Expand)

(no subject) - roxmasoxoff, 2004-01-02 06:34 pm UTC (Expand)

(no subject) - mizcrank, 2004-01-02 06:34 pm UTC (Expand)

	venus_orbiting 2004-01-02 05:53 pm UTC (link)
	Sounds great! Thanks as always for all the hard work, guys! (Reply to this)(Thread)(Expand)

(no subject) - the666, 2004-01-05 07:45 am UTC (Expand)

	jollyraincloud 2004-01-02 05:54 pm UTC (link)
	I have commented! (Reply to this)(Thread)(Expand)

(no subject) - billie0, 2004-01-02 07:55 pm UTC (Expand)

(no subject) - understated, 2004-01-06 02:56 pm UTC (Expand)

	bodosom 2004-01-02 05:54 pm UTC (link)
	I use Opera and Linux. I found my way to the https://.../login.bml page and logged in but all the references now go to httpS://..... which seems to not be working. Manually moving to the http://... side of things makes it ok. (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2004-01-02 05:56 pm UTC (Expand)

	Already? Wow. sapphirecat 2004-01-02 05:55 pm UTC (link)
	So The Register can no longer complain about LJ. w00t! (Reply to this)

	supersat 2004-01-02 05:56 pm UTC (link)
	Do you have any plans to kill mailing out passwords in the clear and/or hashing passwords in the DB? Intercepting login passwords by sniffing network traffic seems like a pretty hypothetical problem, while I know many, many, many accounts have been compromised due to the password recovery feature. (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2004-01-02 06:02 pm UTC (Expand)

(no subject) - supersat, 2004-01-02 06:08 pm UTC (Expand)

(no subject) - bradfitz, 2004-01-02 06:13 pm UTC (Expand)

(no subject) - fallen_x_ashes, 2004-01-02 06:18 pm UTC (Expand)

(no subject) - gladstone, 2004-01-02 06:57 pm UTC (Expand)

(no subject) - bradfitz, 2004-01-02 07:02 pm UTC (Expand)

(no subject) - fishy5, 2004-01-02 07:10 pm UTC (Expand)

(no subject) - vample, 2004-01-02 08:40 pm UTC (Expand)

(no subject) - tjernobyl, 2004-01-03 02:56 am UTC (Expand)

what about GPG? - todfox, 2004-01-02 10:24 pm UTC (Expand)

(no subject) - sqrfruit, 2004-01-03 02:11 am UTC (Expand)

Re: emailing passwords - conana, 2004-02-03 04:18 am UTC (Expand)

(no subject) - birdy1980, 2004-01-04 09:52 am UTC (Expand)

(no subject) - aeralla, 2004-01-04 12:45 pm UTC (Expand)

(no subject) - birdy1980, 2004-01-04 02:00 pm UTC (Expand)

	hellnawitsc 2004-01-02 06:03 pm UTC (link)
	i was wonderinf if you guys will have this thing where you can see which LJ users looked at your journal? (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2004-01-02 06:06 pm UTC (Expand)

(no subject) - bluemoonshark, 2004-01-02 06:22 pm UTC (Expand)

(no subject) - heather_nicole, 2004-01-02 06:55 pm UTC (Expand)

(no subject) - bluemoonshark, 2004-01-02 07:14 pm UTC (Expand)

(no subject) - super_sycoh, 2004-01-02 06:30 pm UTC (Expand)

(no subject) - ladylynx, 2004-01-02 07:46 pm UTC (Expand)

(no subject) - daydreamdancer, 2004-01-02 07:52 pm UTC (Expand)

(no subject) - ladylynx, 2004-01-02 08:13 pm UTC (Expand)

(no subject) - forever_damned, 2004-01-05 04:58 pm UTC (Expand)

(no subject) - uozaki, 2004-01-02 08:25 pm UTC (Expand)

(no subject) - ladylynx, 2004-01-02 09:05 pm UTC (Expand)

(no subject) - waterdaughter, 2004-01-04 05:26 pm UTC (Expand)

(no subject) - ladylynx, 2004-01-04 06:16 pm UTC (Expand)

(no subject) - snarkbite, 2004-01-05 11:30 am UTC (Expand)

(no subject) - ladylynx, 2004-01-05 11:46 am UTC (Expand)

(no subject) - ladylynx, 2004-01-02 09:08 pm UTC (Expand)

there is no security through obscurity - scientaestubiqu, 2004-01-02 09:21 pm UTC (Expand)

Re: there is no security through obscurity - uozaki, 2004-01-02 10:53 pm UTC (Expand)

(no subject) - uozaki, 2004-01-02 10:54 pm UTC (Expand)

(no subject) - antiquedaisies, 2004-01-03 10:48 am UTC (Expand)

(no subject) - ladylynx, 2004-01-03 10:58 am UTC (Expand)

(no subject) - jwendl, 2004-01-13 05:04 am UTC (Expand)

	kylecool 2004-01-02 06:15 pm UTC (link)
	ooo, that sounds really cool. :) I like that! (Reply to this)

hozed 2004-01-02 06:22 pm UTC (link)

I'm a big fan of single-sign-on.. so I read the securityfocus article (http://www.securityfocus.com/news/7739) and immediately wondered how feasable it would be to implement support for either microsoft passport or Sun's Project Libery "federated identity" stuff. (http://www.projectliberty.org/about/faq.html) I personally wouldn't ever use passport, but I'd love to be able to run my own 'identity server' on my domain and be able to authenticate to livejournal with it. So, any thoughts? I'd be very interested in helping test this out. (Reply to this)(Thread)(Expand)

(no subject) - bradfitz, 2004-01-02 06:28 pm UTC (Expand)

(no subject) - hozed, 2004-01-02 07:39 pm UTC (Expand)

	Frank doesn't thank me for my call anymore frezzen 2004-01-02 06:24 pm UTC (link)
	I posted via phone today and the lady didn't say "Frank the Goat appreciates your call". Did my cell just cut out or did you take that cute little line out? (Reply to this)(Thread)(Expand)

Re: Frank doesn't thank me for my call anymore - bradfitz, 2004-01-02 06:29 pm UTC (Expand)

Re: Frank doesn't thank me for my call anymore - frezzen, 2004-01-02 06:31 pm UTC (Expand)

Re: Frank doesn't thank me for my call anymore - grahams, 2004-01-02 08:07 pm UTC (Expand)

Re: Frank doesn't thank me for my call anymore - damnitnicole, 2004-01-03 12:11 am UTC (Expand)

Re: Frank doesn't thank me for my call anymore - lizard, 2004-01-02 07:38 pm UTC (Expand)

Re: Frank doesn't thank me for my call anymore - frezzen, 2004-01-02 07:44 pm UTC (Expand)

More data? medievalist 2004-01-02 06:26 pm UTC (link)

Pardon my technical naivete, but I've been engaged in some somewhat heated discussions with a web developer about a site with many many users who log in with passwords that are sent in the clear. We're moving to a wireless model, so the potential security issues worry me. I've been told that there is no way to combine javascript and SSL. This sounds idiotic to me, but I need to have "proof." Can someone point me to URLS or even the terms I should research to then help the web guy--who probably just doesn't realize this is possible, he's not a bad guy--do what y'all have done? Thanks--and I know you're way busy, so don't spend a lot of time, and feel free to ignore me. (Reply to this)(Thread)(Expand)

Re: More data? - bradfitz, 2004-01-02 06:30 pm UTC (Expand)

Re: More data? - jwendl, 2004-01-13 05:11 am UTC (Expand)

	noxotherxonexx 2004-01-02 06:30 pm UTC (link)
	sounds great. thanks (Reply to this)

	evilnightngale 2004-01-02 06:43 pm UTC (link)
	Awesome. Thank you. (Reply to this)

madrigal73 2004-01-02 06:44 pm UTC (