[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: RE: Encoding charset of HTTP Basic Authentication

  • From: "David Lee" <dlee@calldei.com>
  • To: "'Petite Abeille'" <petite.abeille@gmail.com>, "'xml-dev'" <xml-dev@l...>
  • Date: Mon, 30 Jan 2012 09:44:27 -0500

RE:  RE: Encoding charset of HTTP Basic Authentication
Were back to the problem that SSL doesn't solve the problem (today)  it was
originally intended to solve.   But it happens to solve *this* problem (as
long as you ignore the fact that both ends may be insecure - in which case
all bets are off).

But yes the crux is that Authentication in pure HTTP is either insecure or
That's just the way it is (as far as I know).

This is why a particular annoyance of mine is the false-sense-of-security of
CA signed certificates.
If browsers didn't put up an ugly warning about how scary a self-signed
certificate was then more people would use SSL and the internet would be
more secure.
But if you use plain HTTP you don't get a warning - just insecurity.
Why is it like this ? My only guess ... "Follow the money ..." ?


David A. Lee

-----Original Message-----
From: Petite Abeille [mailto:petite.abeille@gmail.com] 
Sent: Monday, January 30, 2012 9:18 AM
To: xml-dev
Subject: Re:  RE: Encoding charset of HTTP Basic Authentication

On Jan 30, 2012, at 2:52 PM, Pete Cordell wrote:

> A quick question before I do though, does Digest require the server to
have access to the password in clear text form, whereas Basic allows the
server to store the password in some hashed form?

That's the crux of it: digest is not worth the complications IMO.

If you care about the integrity of the transport channel, use TLS.

If you use TLS, basic is all what you need.


XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe@lists.xml.org
subscribe: xml-dev-subscribe@lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.