[
Lists Home |
Date Index |
Thread Index
]
At 11:32 PM -0500 1/5/04, Rich Salz wrote:
>Then my requirement of limited exposure isn't met. Even worse, if *any*
>packet is stolen, then my password is exposed. The only way to prevent
>this is to use SSL for all traffic, which is not always a feasible,
>or even reasonable, trade-off.
>
What you state is only true for the basic authentication scheme.
Modern browsers and servers support digest authentication which
securely transmits an encrypted password even over a plain HTTP
connection. Only the password need be encrypted if the rest of the
data isn't sensitive, so unnecessary cost is paid. This is described
in RFC 2617 ftp://ftp.isi.edu/in-notes/rfc2617.txt
--
Elliotte Rusty Harold
elharo@metalab.unc.edu
Effective XML (Addison-Wesley, 2003)
http://www.cafeconleche.org/books/effectivexml
http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA
|
