...
Although SSL is widely used to allow users to securely login to web sites, it is not the only method that modern browsers support. Another method, which is at least as secure as SSL (if not more so), is called Integrated Windows Authentication (hereafter called IWA). Most web browsers (all versions of Internet Explorer, and recent versions of Gecko-based browsers such as FireFox 1.0) support IWA.
In some ways IWA is more secure than SSL since IWA never sends the username and password to the remote web server. Although SSL sends the username and password in an encrypted format, once it arrives at the web server it is in clear-text and could be accidentally exposed by an inexperienced web programmer. IWA does not suffer from this vulnerability since the username and password never leave the browser.
...
If the User Provides the Wrong Password |
|---|
|
A new challenge is presented to the user for every request, which prevents a hacker from assuming the identity of the user to request other pages that the user hasn't authenticated to yet.
Conclusion
IWA is a valid and secure way for web sites to authenticate users over insecure networks such as the internet. The username and password are never sent in clear-text over the internetover the network - they are held by the browser and used to answer challenges from the remote web server. It is just as secure as SSL (if not more so), and uses visual cues to indicate to the user who is requesting their credentials. If the user trusts the web site, then they can feel comfortable submitting their credentials to it. A new challenge/resposne is exchanged between the remoet web server and browser for every new request.
For GLAST users, since SCS has vetted the web site http://glast-ground.slac.stanford.edu/, they can trust that security is implemented properly and should feel secure in using it.