[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
- From: Tei <oscar.vives@gmail.com>
- To: xml-dev <xml-dev@lists.xml.org>
- Date: Wed, 1 Feb 2012 12:22:21 +0100
On 30 January 2012 15:44, David Lee <dlee@calldei.com> wrote:
> Were back to the problem that SSL doesn't solve the problem (today) it was
> originally intended to solve. But it happens to solve *this* problem (as
> long as you ignore the fact that both ends may be insecure - in which case
> all bets are off).
>
> But yes the crux is that Authentication in pure HTTP is either insecure or
> hard.
> That's just the way it is (as far as I know).
>
> <rant>
> This is why a particular annoyance of mine is the false-sense-of-security of
> CA signed certificates.
> If browsers didn't put up an ugly warning about how scary a self-signed
> certificate was then more people would use SSL and the internet would be
> more secure.
> But if you use plain HTTP you don't get a warning - just insecurity.
> Why is it like this ? My only guess ... "Follow the money ..." ?
>
> </rant>
>
Security conscient people seems to not like this idea, because MITM
attacks are easy with selfsigned certs.
Then recently some rogue certificates where generated, for google and
other domains. The next time you pay something with Paypal, you
could be using some mitm Iranian server, or perhaps some CIA server.
For two years USA was reading Megavideo CEO emails. So storage is
another problem (don't put your secrets on the cloud as cleartext),
have your data in non-USA service.
--
--
ℱin del ℳensaje.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
