I hired a developer to implement them however he refused saying he thinks it would be an insecure way to transmit sensitive information.
I emailed his response to the company who seem not to care and although I've repeatedly asked if the code is secure, they avoid answering.
Is it possible to post the scripts so somebody can look over them and advise whether they're secure or not?
The issue is that the company is a text and email marketing organisation with many resellers. My developer (who may be wrong) said if the passwords were intercepted, it would give access to marketing databases containing personal information, names, email, cell phone etc.
And if they are not secure, it's the way the company has been advising their resellers to set up their systems for well over a year so it's not an isolated situation.
After I repeatedly asked for clarification, they eventually came back with:
I received some additional information from our developers. To sum it up we will need to turn on SSL which will provide additional security, but there are some downsides. Here are your options below:
1. Setting up Proxy
You can set up an Apache Proxy server and maintain it. We can access the server and set it up to host your reseller site. Maintenance of the server will rely on the customer.
2. Redirecting URL
Same Single Sign-on Process to xxx'x web server with different domain than the customer’s own domain with SSL. This may cause the browser to pop-up with a warning message stating that they are getting redirected to a non-secure web page.
This can be enabled on your hosted domain, but by turning this on. XP will not be supported on your platform. It is one of the limitations of having SSL activated.
Let me know if you have any questions.