Support » Plugin: Semisecure Login Reimagined » Notes from the author

  • Plugin Author laceous


    Hey, I wrote Semisecure Login Reimagined. I thought I’d respond to a couple posts.

    1) Can I take over as the plugin author?

    I’d suggest just creating a new fork. Semisecure Login Reimagined started as a fork of Semisecure Login… which was also similar to (and/or based on) Chap Secure Login. There’s a bit of a history of spinning up your own version 🙂

    2) This plugin is pointless!

    The point of this plugin was to NOT pass your password in the clear over http. As long as you were using JavaScript in your browser, any passive network listeners wouldn’t know your password. This was a potential concern due to the fact that so many people use the same password for different sites.

    This plugin would NOT stop someone on the network from learning your session ID (i.e. they could pretend to be you within your WP install).

    This plugin would NOT stop a targeted man in the middle attack. The JavaScript that encrypts your password comes from the server-side (or the “man in the middle”).

    3) Alternatives

    Today, I’d recommend going with an SSL/TLS certificate and signing in over https.

    There’s a few places you can get a “real” certificate for free. Or you can just go with a self-signed cert. This will encrypt your entire client -> server communication rather than just encrypting the password part. A self-signed cert doesn’t have the same level of trust as a “real” cert issued by someone trustworthy, but it’s not any less trustworthy than what this plugin offers.

    You also don’t need a dedicated IP anymore for https. SNI allows for multiple certs on the same IP. cPanel even added support for it last year. However, some browsers on Windows XP don’t support SNI so that could be a sticking point.

  • The topic ‘Notes from the author’ is closed to new replies.