W3C home > Mailing lists > Public > www-html@w3.org > February 2001

Re: Transmitting secure data

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 23 Feb 2001 00:48:45 +0100
To: pdf@bizfon.com
Cc: www-html@w3.org
Message-ID: <t19b9t8gb8c0gslgaa1ke28bck1dat72fh@4ax.com>
* pdf@bizfon.com wrote:
>If I wanted to create an application that required a user to log in with a
>username and a password, using a password field on the page is not all that
>secure.  As written in the HTML specs:
>Note. Application designers should note that this mechanism affords only light
>security protection. Although the password is masked by user agents from casual
>observers, it is transmitted to the server in clear text, and may be read by
>anyone with low-level access to the network.
>
>Are there any features of HTML that will allow me to transmit sensitive data
>from the client to the server in a more secure way?  Does SSL solve this

Yes, SSL or TLS encrypt the whole HTTP transmission. The most secure
method will be

  * XHTML document with XForms Form for Username and Password,
  * TLS 1.0 secured connection for a HTTP Request using
  * HTTP Digest Authentication

Using HTTP Basic Authentication is a little more secure than using HTML
Forms and HTTP GET/POST request without any HTTP Authentication
mechanism, maybe you should consider using it. This isn't really an HTML
issue...
-- 
Björn Höhrmann ^ mailto:bjoern@hoehrmann.de ^ http://www.bjoernsworld.de
am Badedeich 7 ° Telefon: +49(0)4667/981028 ° http://bjoern.hoehrmann.de
25899 Dagebüll # PGP Pub. KeyID: 0xA4357E78 # http://learn.to/quote [!]e
                 --++~ life is just another dream ~++--                 
Received on Thursday, 22 February 2001 18:47:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:45 GMT