W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

Re: I-D Action:draft-ietf-httpbis-security-properties-01.txt

From: Robert Siemer <Robert.Siemer-httpwg@backsla.sh>
Date: Sat, 15 Mar 2008 22:15:16 +0100
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: ietf-http-wg@w3.org
Message-ID: <20080315211516.GD6984@polar.elf12.net>

On Thu, Mar 13, 2008 at 11:09:03PM -0400, Stephane Bortzmeyer wrote:

> TLS, besides its use for client and/or server authentication, is also
> very commonly used to protect the confidentiality and integrity of the
> HTTP session. For instance, both HTTP Basic authentication and Cookies
> are often protected against snooping by TLS.
> 
> It should be noted that, in that case, TLS does not protect against a
> breach of the credential store at the server or against a keylogger or
> phishing interface at the client. TLS does not change the fact that
> Basic Authentication passwords are reusable and does not address that
> weakness.
> 

TLS does not address the security of the client certificate either 
(which can be stolen/copied from the client and is reusable...) But yes, 
there are better means to avoid that compared to passwords only (e.g. 
chipcards).


Robert
Received on Saturday, 15 March 2008 21:14:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT