Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

From: Richard Salz <rsalz@us.ibm.com>
To: John Cowan <cowan@mercury.ccil.org>
Date: Mon, 30 Jan 2012 11:37:08 -0500

> > password over the wire. It's worse because 
> 
> Arrgh!

See what happened -- I stopped typing to let my brain catch up, and it 
never did.... :)

Digest is worse because it never spec'd anything other than MD5, although 
it allowed "space" in the protocol for it.  (SHA was published a 
half-dozen years before.)  Unless the browser serializes requests (i.e., 
one image at a time), full integrity protection with digest usually [not 
always, see the last part of section 3.2.3 of RFC 2617 and sec 4.5 on 
replay] doubles the number of HTTP messages.  At that point, you might as 
well give up and use SSL/TLS, and once you've done that, the temptation to 
use basic-auth (but mom, everybody else does) is too generally too great 
to resist.

        /r$

--
STSM, WebSphere Appliance Architect
https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/

References:
- RE: Encoding charset of HTTP Basic Authentication
  - From: "David Lee" <dlee@calldei.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: "Pete Cordell" <petexmldev@codalogic.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: Richard Salz <rsalz@us.ibm.com>
- Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
  - From: John Cowan <cowan@mercury.ccil.org>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]