Log-in to websites without TLS/SSL

<- Return to Programming blog
I wanted to see if it would be possible to create a secure log-in form on a website where TLS/SSL is not available. Of course this is not meant to replace TLS/SSL; there are many reasons why TLS/SSL is far superior. But for simple sites I wanted to see if there was an option which is better than sending credentials in plain-text.

The system I came up with is similar to HTTP digest authentication and CRAM-MD5, but offers a few improvements. All it requires on the client-side is a simple JavaScript routine. It also relies on the Crypt-JS library.

So click here for a live demo, and please try my challenge to crack it!