SSL Login

[CrYpTiC_MauleR]

I propose that the login form at the bottom of the main forum page be removed and allow only to login via the login button at top right of screen, which defaults to an SSL login. I beleive this to be more secure for higher permission accounts and regular users.

1) Yes, change it to more secure method
2) No, keep it as it is

[rdivilbiss]

I beleive this to be more secure for higher permission accounts

I think the higher permission account holders are probably aware of the prefered method of logging in.

While I would not object to forcing all logins to occur via SSL, for those who wish to cache credentials this may cause a problem.

I do not want to log in every time I visit the forum.

If changing all the login URLs to point to a https page does not break that, then I do not object.

[COBOLdinosaur]

I tend to shy away from sites that do secure logons, because they are frequently bring you into a secure area to try and sell you something.  A secure logon might deter some visitors from registering.  

I don't see much to be gained from using a secure logon when the back end is PHPBB.  SSL should be used where there is a real need for security.  If you are going to have a secure logon then give the user an option they way Yahoo, Excite and most other portals do.

This is an option that the user should control not the site.

[CrYpTiC_MauleR]

Some good points, I was also thinking about giving the option like Yahoo does with a 'Secure' link next to the login form to login that way.

If having an SSL login page deters visitors, how about what Yahoo uses on the insecure page they hash the password in JS (if JS is enabled) and sends the hash to server which then compares it to hash in database (season it up first with some salt). Its the same method I use on my site as a fallback to people who dont have SSL or dont want to bother using SSL. That way their password is not send in plain-text and they are not even aware they are being protected through the hashing.

[COBOLdinosaur]

I have used hash as well.  It is really transparent to the user, and as far as having JS enabled, I don't think that is a problem for ERT.  The stats you see for the web say 9-11% have JS disabled, but the stats for ERT.com (including the forum befor the spinoff) have never shown more than 2% disabled.  The two percent are not likely to be members because there are other thigs on teh sites that need to have JS enebled, and there has never been a complaint (AFAIK) from any member that they had a problem because of JS disabled.

So the optional (Yahoo style) login with a hash for non-secure sounds like a winner to me.