[volida]

you are saying that if someone is encrypting the password using RSA in javascript and then using the hash to exchange the password between server/client, is volnerable because someone can interfere in the traffic and change the javascript served to the user, so that the password is sent in plaintext and therefore steal the password?

then why meebo and other sites practise this method without security problems?

[eru]

The canned argument is: No known security problem does not mean no security problem.

[tptacek]

That's not the argument here, though. The proposed solution --- and the one that Meebo uses, when you don't use their SSL login --- has a glaring security problem.

[volida]

i wasn't proposing it, i asked if thats what you meant

[volida]

i was implying, how come they didn't run into security problem when they are practising a non-safe method? why do they expose so many users to such danger without their knowledge?