[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: RE: Encoding charset of HTTP Basic Authentication
Original Message From: "Michael Sokolov" (I've flipped the order of Michael's reply to make the more important comment first.) > But yes, it's not good for public-facing auth, etc, and probably people > (like you!) who don't know what it is have used it as if it were secure, > so for that reason I agree with you, it's not the sort of standard that > should be promulgated. I think that's the rub. We all know that passwords should be kept secret, and for a mechanism whose primary purpose is to exchange passwords it surely has a duty of care to help maintain that secrecy. Sending passwords over the Internet in the clear seems no more acceptable than storing passwords in a file in plain text. No serious system would do the latter, so I think it's only reasonable that we should object when systems do the former. "We never said it was secure" is not an acceptable defence IMHO. > It's actually pretty useful as an insecure *identification* mechanism. EG > if you're operating inside a firewall and just want to give people a > mechanism to say who they are, allowing for the fact someone might > impersonate someone else, etc. Not every authentication mechanism has to > be secure, just like not every door has to be locked - I mean do you lock > your bathroom door? Closing it is enough; people knock and identify > themselves. True, but it doesn't seem so much harder to always use Digest. Surely it's just calling a different function for most people? (Digest may have its weaknesses too, but that's a reason for making a stronger scheme rather than giving up completely.) I feel a bit like a disgruntled customer who's found his product doesn't do what he thought it did based on the shining ads who on ringing into a help line is told that I should have read the small print on page 215 :-) Pete Cordell Codalogic Ltd Interface XML to C++ the easy way using C++ XML data binding to convert XSD schemas to C++ classes. Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com for more info ----- Original Message ----- From: "Michael Sokolov" <sokolov@ifactory.com> To: "Pete Cordell" <petexmldev@codalogic.com> Cc: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev" <xml-dev@lists.xml.org> Sent: Sunday, January 29, 2012 10:31 PM Subject: Re: RE: Encoding charset of HTTP Basic Authentication > It's actually pretty useful as an insecure *identification* mechanism. EG > if you're operating inside a firewall and just want to give people a > mechanism to say who they are, allowing for the fact someone might > impersonate someone else, etc. Not every authentication mechanism has to > be secure, just like not every door has to be locked - I mean do you lock > your bathroom door? Closing it is enough; people knock and identify > themselves. > > But yes, it's not good for public-facing auth, etc, and probably people > (like you!) who don't know what it is have used it as if it were secure, > so for that reason I agree with you, it's not the sort of standard that > should be promulgated. > > -Mike > > On 1/29/2012 5:15 PM, Pete Cordell wrote: >> Holy s*** you're right. Just used wireshark on some HTTP exchanges. All >> this talk about online security and they effectively allow Base64 as an >> 'encryption' algorithm! People should go to jail for that! Still think >> it's a bad, bad, bad idea. SIP has deprecated it and Twitter has >> disabled it. As I said, I'm pretty sure the IETF wouldn't accept >> something similar to it these days. >> >> Pete Cordell >> Codalogic Ltd >> Interface XML to C++ the easy way using C++ XML >> data binding to convert XSD schemas to C++ classes. >> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com >> for more info >> ----- Original Message ----- From: "Pete Cordell" >> <petexmldev@codalogic.com> >> To: "Petite Abeille" <petite.abeille@gmail.com>; "xml-dev" >> <xml-dev@lists.xml.org> >> Sent: Sunday, January 29, 2012 9:35 PM >> Subject: Re: RE: Encoding charset of HTTP Basic Authentication >> >> >>> Convenient doesn't mean good though. I think it _can_ be used over TLS, >>> but since HTTP needs to support other schemes for non-TLS I can't see >>> the point. I don't think it would accepted if it was introduced today. >>> >>> Pete Cordell >>> Codalogic Ltd >>> Interface XML to C++ the easy way using C++ XML >>> data binding to convert XSD schemas to C++ classes. >>> Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com >>> for more info >>> ----- Original Message ----- From: "Petite Abeille" >>> <petite.abeille@gmail.com> >>> To: "xml-dev" <xml-dev@lists.xml.org> >>> Sent: Sunday, January 29, 2012 8:33 PM >>> Subject: Re: RE: Encoding charset of HTTP Basic Authentication >>> >>> >>> >>> On Jan 29, 2012, at 9:17 PM, Pete Cordell wrote: >>> >>>> My understanding is that Basic is essentially considered insecure >>> >>> Basic is convenient, universally supported, and meant to be used over >>> TLS if you care about this kind of things. >>> >>> _______________________________________________________________________ >>> >>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>> to support XML implementation and development. To minimize >>> spam in the archives, you must subscribe before posting. >>> >>> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >>> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org >>> subscribe: xml-dev-subscribe@lists.xml.org >>> List archive: http://lists.xml.org/archives/xml-dev/ >>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >>> >>> >>> _______________________________________________________________________ >>> >>> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >>> to support XML implementation and development. To minimize >>> spam in the archives, you must subscribe before posting. >>> >>> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >>> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org >>> subscribe: xml-dev-subscribe@lists.xml.org >>> List archive: http://lists.xml.org/archives/xml-dev/ >>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >>> >> >> >> _______________________________________________________________________ >> >> XML-DEV is a publicly archived, unmoderated list hosted by OASIS >> to support XML implementation and development. To minimize >> spam in the archives, you must subscribe before posting. >> >> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >> Or unsubscribe: xml-dev-unsubscribe@lists.xml.org >> subscribe: xml-dev-subscribe@lists.xml.org >> List archive: http://lists.xml.org/archives/xml-dev/ >> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >> > > > _______________________________________________________________________ > > XML-DEV is a publicly archived, unmoderated list hosted by OASIS > to support XML implementation and development. To minimize > spam in the archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Or unsubscribe: xml-dev-unsubscribe@lists.xml.org > subscribe: xml-dev-subscribe@lists.xml.org > List archive: http://lists.xml.org/archives/xml-dev/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|