Quote Originally Posted by szlamany View Post
I simply cannot rest on the fact that they will always force a re-direct to HTTPS: (although I have been for a decade now) - I've got too many clients (with too large of an IT departments) that my implementations are sometimes the least important. And they can always break re-direct in the future with an IIS migration and then I'm the bad guy for sending PW's in clear text.

I was thinking that the page loads initially with a hidden field to start a challenge up. Immediately JavaScript grabs that value and deletes the DOM field - that can happen pretty quickly. And if I hide that code well, no one will ever find it... Now I have something to hash the password with and send to the server. Then immediately delete the variable with the hidden value. Granted someone who is super bored can break all this, but that has to coincide with a transmission over HTTP, which should be super rare.

Can I detect on the server that the page is being served to an HTTP vs HTTPS request?
A bigger issue than just sending the password is how are you going to track if a user is logged in or not? If you are storing any form of credential / token and then transmitting it as part of a request e.g. a header or a cookie, a hacker would just need to intercept the request and isolate the token and then attach that to any requests they make. There is no need to intercept the username & password if they can simply wait for a user to be authenticated and then just impersonate them...

If your clients aren't able / willing to use https then you are pretty much fighting a loosing battle. It is like having a company that complains about stock being stolen but refuses to put locks on the doors. A company needs to take responsibility for it's own security, https is not difficult, isn't expensive, and quite frankly it should be an absolute minimum for anything that warrants any degree of security. If the underlying connection is insecure then anything you do over the insecure connection is already insecure.