MD5 secured login without SSL enabled

I need to provide MD5 secured login without SSL enabled.

Why this is needed: Hackers can sniff your connection for outgoing packets. If your password is in clean text, your site can be easily hacked as DNN's admin is purely web based.

I need to encrypt login password with a salt generated from server before sending to server for authentication. So even if someone is sniffing my connection, he will get an encrypted string (with salt).

Would be grateful if someone can provide me the way to do it.

P.S. In fact, I noticed that while logging in to this site also the password was sent in clear text!

Thanks, John.

I forgot to mention that I used a tool called TamperIE while logging in to this site and it displayed the password in clear text. Unfortunately, for obvious reasons, I cannot attach the screenshot here. I believe, even Burp Proxy would show the password in clear text. You mentioned that the password is sent over an SSL-secured channel. This led me to understand that either (i) the password is being caught by TamperIE BEFORE being placed on the SSL wire or (ii) SSL is not sufficient (a rather unlikely possibility). Your comments on this would most certainly clear up my doubts.

Regarding implementing MD5 on the client, I read an old post http://forums.asp.net/p/361518/361518.aspx#361518

but the solution given therein doesn't seem to be applicable to the latest version of DNN. Elsewhere, I read that there is a directive like hashAlgorithm="MD5"  when using the DNNSQLMembershipProvider as opposed to the supposedly newer AspNetSqlMembershipProvider, although what this directive actually does is not clear to me.

All in all it looks like SSL is the way to go as changing the core code is not a very pleasant proposition for me but what if my host will not allow SSL?

My DNN site never got thru internal audit. One reason cited for this was that the password was sent in clear text. I know I'll be better off with SSL, but I'm just worried about the scenario where my host might not enable or even allow SSL support. So, what I'd like to know is how to configure the AspNetSqlMembershipProvider not just to store the password in the database in hashed or encrypted form, but also to encrypt or hash the password sent over the wire (when SSL is not enabled). More specifically, what JavaScript needs to be written to match the storage format for the password on the server, i.e., Hashed (SHA1), or Encrypted (Triple-DES) and what .vb file has to be modified to call this JavaScript function? In fact, I'm surprised why this kind of thing was never included with DotNetNuke in the first place, it would have made life for newbies like me a lot more pleasant. In fact, even client-side validation for a number of core modules in DNN seems to be lacking which is another reason why my DNN site was unable to get thru internal security audit. I hope someone will now be willing to offer some tips.

To do a secure login system without SSL you'll need a challenge - response type system.

There is a good explaination of one here:

http://pajhome.org.uk/crypt/md5/auth.html

You can use whatever hash algorithm you like, but MD5 is my preferrence, and it can be done in Javascript.

It would take several hours of rework in the core to get a challenge response system working, so I can't really give you a good answer about what exactly to change.

If your host doesn't support SSL and you need this kind of security, then you should really get a new host.