Lists Home |
Date Index |
At 11:32 PM -0500 1/5/04, Rich Salz wrote:
>Then my requirement of limited exposure isn't met. Even worse, if *any*
>packet is stolen, then my password is exposed. The only way to prevent
>this is to use SSL for all traffic, which is not always a feasible,
>or even reasonable, trade-off.
What you state is only true for the basic authentication scheme.
Modern browsers and servers support digest authentication which
securely transmits an encrypted password even over a plain HTTP
connection. Only the password need be encrypted if the rest of the
data isn't sensitive, so unnecessary cost is paid. This is described
in RFC 2617 ftp://ftp.isi.edu/in-notes/rfc2617.txt
Elliotte Rusty Harold
Effective XML (Addison-Wesley, 2003)