[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: RE: Encoding charset of HTTP Basic Authentication

• From: Richard Salz <rsalz@us.ibm.com>
• To: John Cowan <cowan@mercury.ccil.org>
• Date: Mon, 30 Jan 2012 11:37:08 -0500

> > password over the wire. It's worse because 
> 
> Arrgh!

See what happened -- I stopped typing to let my brain catch up, and it 
never did.... :)

Digest is worse because it never spec'd anything other than MD5, although 
it allowed "space" in the protocol for it.  (SHA was published a 
half-dozen years before.)  Unless the browser serializes requests (i.e., 
one image at a time), full integrity protection with digest usually [not 
always, see the last part of section 3.2.3 of RFC 2617 and sec 4.5 on 
replay] doubles the number of HTTP messages.  At that point, you might as 
well give up and use SSL/TLS, and once you've done that, the temptation to 
use basic-auth (but mom, everybody else does) is too generally too great 
to resist.

        /r$

--
STSM, WebSphere Appliance Architect
https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/

• References:
  • RE: Encoding charset of HTTP Basic Authentication
    • From: "David Lee" <dlee@calldei.com>
  • Re: RE: Encoding charset of HTTP Basic Authentication
    • From: "Pete Cordell" <petexmldev@codalogic.com>
  • Re: RE: Encoding charset of HTTP Basic Authentication
    • From: Richard Salz <rsalz@us.ibm.com>
  • Re: RE: Encoding charset of HTTP Basic Authentication
    • From: John Cowan <cowan@mercury.ccil.org>