W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2001

RE: Logout

From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Date: Mon, 8 Jan 2001 19:03:32 +0100
To: "'Scott Lawrence'" <slawrence@virata.com>
Cc: "WWW WG (E-mail)" <http-wg@cuckoo.hpl.hp.com>
Message-ID: <000701c0799d$508b32a0$01ff1fac@Joris2K.local>
>-----Original Message-----
>From: Scott Lawrence [mailto:slawrence@virata.com]
>Sent: Monday, 8 January 2001 18:33
>To: Joris Dobbelsteen
>Cc: WWW WG (E-mail)
>Subject: Re: Logout
>
>
>Joris Dobbelsteen wrote:
>
>
>> Basic is completely insecure. Digest has some security hazards:
>> Server sends a 'key' to use with hashing. When the same 
>'key' is used,
>> the hashed password captured can be reused.
>> Also doesn't digest authentication (nor basic authentication) provide
>> data integrity.
>
>Actually, the Digest spec provides a content integrity mechanism 
>(qop=auth-int).  It does not protect most of the header information 
>(because of compatibility problems with proxies), but does protect 
>and authenticate the message body by including a hash of the message 
>body as an input to the response hash.
>
Wasn't aware of the hash included of the message body.

>As for alternative schemes that provide better security without 
>SSL/TLS, there was a very good spec "The Secure HyperText Transfer 
>Protocol" that just didn't get any traction with implementors:
>
>http://www.ietf.org/rfc/rfc2660.txt
>
>
I will read RFC2660....


- Joris


Received on Monday, 8 January 2001 18:08:46 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:41 EDT