From Wikipedia:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.
SSL has been around since 1994. 1994 was the year of NAFTA. Lorena Bobbitt. The Nancy Kerrigan verdict. Nirvana's last show. The release of the side-scrolling DOS game Jazz Jackrabbit. The opening of the Chunnel. The premiere of Friends. Netscape Navigator 1.0 (1.0!!!) was released. The Whitewater scandal began.
In short, SSL has been around for a long time.
So why is the login page not protected by SSL? (And for you non-tech-weenies, why does it matter?)
UPDATE 1 (11/24/2007 1:27 PM): Thanks to SeattleLiberal for the info on the tech support address. I sent an email to the tech support folks to see if there's a way to get SSL on the login page. I'm putting my money where my mouth is, and am willing to contribute to make this happen.
Why should we care?
- Unencrypted passwords can be obtained in transit.
Most of us are rather mobile, and will sign in to Daily Kos on public networks such as coffeehouses, libraries, etc. Most of these networks either have no security (no password is required to connect) or they use WEP. WEP stands for Wired Equivalent Privacy, and is not an encryption protocol. Information that is "protected" by WEP can be decrypted in real-time by any average laptop computer on the market today. Therefore, relying on the security of the underlying network connection is not acceptable. With relative ease, your userid and password for Daily Kos can be obtained as you enter them since the connection between your browser and the Daily Kos server is not encrypted via SSL.
- Daily Kos accounts can be hijacked.
With a username and password that were obtained in transit, a malicious user could log in using your Daily Kos account and make false posts, comments, etc, or change your password and email address, or change profile information, or otherwise perform malicious activities in your name.
- Other accounts used by you can be hijacked.
Most users, myself included, use one or two or three passwords for all of their accounts across the Internet. If my Daily Kos userid and password are obtained, there is a good chance that either that userid and password combination, or at least the password, are in use on one or more other sites across the Internet. Therefore, your Instant Messenger, email, and online banking or PayPal accounts might be at risk, which leaves room for identity theft and serious damage to your credit and personal life.
What can be done?
- Kos could purchase an SSL certificate for $250-$500 per year and apply it to http://www.dailykos.com/... (making it https://www.dailykos.com/... and solve the problem.
- Users that are concerned about this could change their Daily Kos password to a password that is not used by any of their other accounts on the Internet. Therefore, if their password is compromised, malicious users couldn't hack into other accounts held by that person elsewhere on the Internet. (This is a good idea anyway.)
Serious security flaw, cheap and easy fix. Make it happen, man!