Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

["Pete Cordell" <petexmldev@codalogic.com>]

Original Message From: "Michael Sokolov"

(I've flipped the order of Michael's reply to make the more important
comment first.)

> But yes, it's not good for public-facing auth, etc, and probably people
> (like you!) who don't know what it is have used it as if it were secure,
> so for that reason I agree with you, it's not the sort of standard that
> should be promulgated.

I think that's the rub.  We all know that passwords should be kept secret,
and for a mechanism whose primary purpose is to exchange passwords it surely
has a duty of care to help maintain that secrecy.  Sending passwords over
the Internet in the clear seems no more acceptable than storing passwords in
a file in plain text.  No serious system would do the latter, so I think
it's only reasonable that we should object when systems do the former.  "We
never said it was secure" is not an acceptable defence IMHO.

> It's actually pretty useful as an insecure *identification* mechanism.  EG
> if you're operating inside a firewall and just want to give people a
> mechanism to say who they are, allowing for the fact someone might
> impersonate someone else, etc.  Not every authentication mechanism has to
> be secure, just like not every door has to be locked - I mean do you lock
> your bathroom door?  Closing it is enough; people knock and identify
> themselves.

True, but it doesn't seem so much harder to always use Digest.  Surely it's
just calling a different function for most people?  (Digest may have its
weaknesses too, but that's a reason for making a stronger scheme rather than
giving up completely.)

I feel a bit like a disgruntled customer who's found his product doesn't do
what he thought it did based on the shining ads who on ringing into a help
line is told that I should have read the small print on page 215 :-)

Pete Cordell
Codalogic Ltd
Interface XML to C++ the easy way using C++ XML
data binding to convert XSD schemas to C++ classes.
Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com
for more info
----- Original Message ----- 
From: "Michael Sokolov" <sokolov@ifactory.com>
To: "Pete Cordell" <petexmldev@codalogic.com>
Cc: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev"
<xml-dev@lists.xml.org>
Sent: Sunday, January 29, 2012 10:31 PM
Subject: Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication


> It's actually pretty useful as an insecure *identification* mechanism.  EG
> if you're operating inside a firewall and just want to give people a
> mechanism to say who they are, allowing for the fact someone might
> impersonate someone else, etc.  Not every authentication mechanism has to
> be secure, just like not every door has to be locked - I mean do you lock
> your bathroom door?  Closing it is enough; people knock and identify
> themselves.
>
> But yes, it's not good for public-facing auth, etc, and probably people
> (like you!) who don't know what it is have used it as if it were secure,
> so for that reason I agree with you, it's not the sort of standard that
> should be promulgated.
>
> -Mike
>
> On 1/29/2012 5:15 PM, Pete Cordell wrote:
>> Holy s*** you're right.  Just used wireshark on some HTTP exchanges.  All
>> this talk about online security and they effectively allow Base64 as an
>> 'encryption' algorithm!  People should go to jail for that!  Still think
>> it's a bad, bad, bad idea.  SIP has deprecated it and Twitter has
>> disabled it.  As I said, I'm pretty sure the IETF wouldn't accept
>> something similar to it these days.
>>
>> Pete Cordell
>> Codalogic Ltd
>> Interface XML to C++ the easy way using C++ XML
>> data binding to convert XSD schemas to C++ classes.
>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com
>> for more info
>> ----- Original Message ----- From: "Pete Cordell"
>> <petexmldev@codalogic.com>
>> To: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev"
>> <xml-dev@lists.xml.org>
>> Sent: Sunday, January 29, 2012 9:35 PM
>> Subject: Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
>>
>>
>>> Convenient doesn't mean good though.  I think it _can_ be used over TLS,
>>> but since HTTP needs to support other schemes for non-TLS I can't see
>>> the point. I don't think it would accepted if it was introduced today.
>>>
>>> Pete Cordell
>>> Codalogic Ltd
>>> Interface XML to C++ the easy way using C++ XML
>>> data binding to convert XSD schemas to C++ classes.
>>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com
>>> for more info
>>> ----- Original Message ----- From: "Petite Abeille"
>>> <petite.abeille@gmail.com>
>>> To: "xml-dev" <xml-dev@lists.xml.org>
>>> Sent: Sunday, January 29, 2012 8:33 PM
>>> Subject: Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
>>>
>>>
>>>
>>> On Jan 29, 2012, at 9:17 PM, Pete Cordell wrote:
>>>
>>>> My understanding is that Basic is essentially considered insecure
>>>
>>> Basic is convenient, universally  supported, and meant to be used over
>>> TLS if you care about this kind of things.
>>>
>>> _______________________________________________________________________
>>>
>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>>> to support XML implementation and development. To minimize
>>> spam in the archives, you must subscribe before posting.
>>>
>>> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>>> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>>> subscribe: xml-dev-subscribe@lists.xml.org
>>> List archive: http://lists.xml.org/archives/xml-dev/
>>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>>>
>>>
>>> _______________________________________________________________________
>>>
>>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>>> to support XML implementation and development. To minimize
>>> spam in the archives, you must subscribe before posting.
>>>
>>> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>>> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>>> subscribe: xml-dev-subscribe@lists.xml.org
>>> List archive: http://lists.xml.org/archives/xml-dev/
>>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>>>
>>
>>
>> _______________________________________________________________________
>>
>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
>> to support XML implementation and development. To minimize
>> spam in the archives, you must subscribe before posting.
>>
>> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
>> subscribe: xml-dev-subscribe@lists.xml.org
>> List archive: http://lists.xml.org/archives/xml-dev/
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>>
>
>
> _______________________________________________________________________
>
> XML-DEV is a publicly archived, unmoderated list hosted by OASIS
> to support XML implementation and development. To minimize
> spam in the archives, you must subscribe before posting.
>
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
> subscribe: xml-dev-subscribe@lists.xml.org
> List archive: http://lists.xml.org/archives/xml-dev/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>