On Thu, Mar 13, 2008 at 11:09:03PM -0400, Stephane Bortzmeyer wrote: > TLS, besides its use for client and/or server authentication, is also > very commonly used to protect the confidentiality and integrity of the > HTTP session. For instance, both HTTP Basic authentication and Cookies > are often protected against snooping by TLS. > > It should be noted that, in that case, TLS does not protect against a > breach of the credential store at the server or against a keylogger or > phishing interface at the client. TLS does not change the fact that > Basic Authentication passwords are reusable and does not address that > weakness. > TLS does not address the security of the client certificate either (which can be stolen/copied from the client and is reusable...) But yes, there are better means to avoid that compared to passwords only (e.g. chipcards). RobertReceived on Saturday, 15 March 2008 21:14:36 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT