- From: Joris Dobbelsteen <joris.dobbelsteen@mail.com>
- Date: Mon, 8 Jan 2001 19:03:32 +0100
- To: 'Scott Lawrence' <slawrence@virata.com>
- Cc: "WWW WG (E-mail)" <http-wg@cuckoo.hpl.hp.com>
Received on Monday, 8 January 2001 10:10:07 UTC
>-----Original Message----- >From: Scott Lawrence [mailto:slawrence@virata.com] >Sent: Monday, 8 January 2001 18:33 >To: Joris Dobbelsteen >Cc: WWW WG (E-mail) >Subject: Re: Logout > > >Joris Dobbelsteen wrote: > > >> Basic is completely insecure. Digest has some security hazards: >> Server sends a 'key' to use with hashing. When the same >'key' is used, >> the hashed password captured can be reused. >> Also doesn't digest authentication (nor basic authentication) provide >> data integrity. > >Actually, the Digest spec provides a content integrity mechanism >(qop=auth-int). It does not protect most of the header information >(because of compatibility problems with proxies), but does protect >and authenticate the message body by including a hash of the message >body as an input to the response hash. > Wasn't aware of the hash included of the message body. >As for alternative schemes that provide better security without >SSL/TLS, there was a very good spec "The Secure HyperText Transfer >Protocol" that just didn't get any traction with implementors: > >http://www.ietf.org/rfc/rfc2660.txt > > I will read RFC2660.... - Joris
Received on Monday, 8 January 2001 10:10:07 UTC