W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: security requirements (was: Updating RFC 2617 (HTTP Digest) to use UTF-8)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Sat, 04 Nov 2006 23:15:19 +0100
To: ietf-http-wg@w3.org
Message-Id: <1162678519.11880.260.camel@henriknordstrom.net>
lör 2006-11-04 klockan 12:44 -0800 skrev David Morris:

> Yes, it takes an extra set of round trips as the server can't reject
> the request out of hand. In terms of %age of total http network traffic,
> it will be lost in the noise.

Actually it doesn't even add an extra round trip as the client is
supposed to handle the situation where it does not understand any of the
challenges gracefully and inform the user that it's not capable to
access the resource. Unfortunately many client implementations is broken
and falls back on Basic under such conditions but that is another story
entirely not related to HTTP/1.1 but simply implementation bugs.

Regarding the specs they already say

  "Servers should only include Basic if it is minimally acceptable."

and

  "The user agent MUST choose to use one of the challenges with the
strongest auth-scheme it understands".

and

  "Because Basic authentication involves the cleartext transmission of
   passwords it SHOULD NOT be used (without enhancements) to protect
   sensitive or valuable information."

all quotes from RFC2617 btw.

Regards
Henrik

Received on Saturday, 4 November 2006 22:15:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT