- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 23 Feb 2001 00:48:45 +0100
- To: pdf@bizfon.com
- Cc: www-html@w3.org
* pdf@bizfon.com wrote:
>If I wanted to create an application that required a user to log in with a
>username and a password, using a password field on the page is not all that
>secure. As written in the HTML specs:
>Note. Application designers should note that this mechanism affords only light
>security protection. Although the password is masked by user agents from casual
>observers, it is transmitted to the server in clear text, and may be read by
>anyone with low-level access to the network.
>
>Are there any features of HTML that will allow me to transmit sensitive data
>from the client to the server in a more secure way? Does SSL solve this
Yes, SSL or TLS encrypt the whole HTTP transmission. The most secure
method will be
* XHTML document with XForms Form for Username and Password,
* TLS 1.0 secured connection for a HTTP Request using
* HTTP Digest Authentication
Using HTTP Basic Authentication is a little more secure than using HTML
Forms and HTTP GET/POST request without any HTTP Authentication
mechanism, maybe you should consider using it. This isn't really an HTML
issue...
--
Björn Höhrmann ^ mailto:bjoern@hoehrmann.de ^ http://www.bjoernsworld.de
am Badedeich 7 ° Telefon: +49(0)4667/981028 ° http://bjoern.hoehrmann.de
25899 Dagebüll # PGP Pub. KeyID: 0xA4357E78 # http://learn.to/quote [!]e
--++~ life is just another dream ~++--
Received on Thursday, 22 February 2001 18:47:52 UTC