On Oct 11, 2011, at 3:54 PM, Conan Kudo (ニール・ゴンパ) wrote: > 2011/10/11 Josh Juran <josh@xxxxxxxxxxxx> > >> To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option. > > Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit? That protects the password itself, but not the privilege it guards. It also essentially makes Javascript a requirement, which currently it isn't. Josh
