OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] RE: Encoding charset of HTTP Basic Authentication

On 30 January 2012 15:44, David Lee <dlee@calldei.com> wrote:
> Were back to the problem that SSL doesn't solve the problem (today)  it was
> originally intended to solve.   But it happens to solve *this* problem (as
> long as you ignore the fact that both ends may be insecure - in which case
> all bets are off).
> But yes the crux is that Authentication in pure HTTP is either insecure or
> hard.
> That's just the way it is (as far as I know).
> <rant>
> This is why a particular annoyance of mine is the false-sense-of-security of
> CA signed certificates.
> If browsers didn't put up an ugly warning about how scary a self-signed
> certificate was then more people would use SSL and the internet would be
> more secure.
> But if you use plain HTTP you don't get a warning - just insecurity.
> Why is it like this ? My only guess ... "Follow the money ..." ?
> </rant>

Security conscient people seems to not like this idea, because MITM
attacks are easy with selfsigned certs.

Then recently some rogue certificates where generated, for google and
other domains.   The next time you pay something with Paypal, you
could be using some mitm Iranian server, or perhaps some CIA server.

For two years USA was reading Megavideo CEO emails. So storage is
another problem (don't put your secrets on the cloud as cleartext),
have your data in non-USA service.

ℱin del ℳensaje.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS