Re: No More Passwords In The Clear in HTTP! from Brian Behlendorf on 1995-01-09 (ietf-http-wg@w3.org from January to March 1995)

From: Brian Behlendorf <brian@wired.com>
Date: Mon, 9 Jan 1995 12:24:07 -0800 (PST)
To: "Daniel W. Connolly" <connolly@hal.com>
Cc: www-talk@info.cern.ch, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>

On Mon, 9 Jan 1995, Daniel W. Connolly wrote:
> Why is this nifty proposal tucked away in a corner? Why didn't I hear
> about it before now? I thought I was pretty tuned in to this sort of
> thing...

Eric from Spyglass posted to www-talk a proposal for using MD5 encryption 
in a system like this a few weeks ago - it looked solid, and I'm waiting 
for a server and a browser to implement it (WN and Arena maybe?) so I can 
set it up for HotWired.

> The reason I believed this was that real security is to expensive to
> develop to give away (and it almost always requires a license of some
> kind...).

Only until 1997!  :)

> This message is a call to eliminate passwords-in-the-clear from HTTP.
> This means the browser developers should implement something like the
> spyglass proposal (it looks like a few hours more work to upgrade to
> this from the existing basic auth. scheme), and subscription-based
> information providers should _strongly_ encourage their user base to
> upgrade. Something like:
> 
> 	"Please upgrade to a browser that doesn't send passwords in
> 	the clear (such as... links to recommended browsers.). In 6
> 	months, we will not be accepting Basic authentication."

>From a quick glance at the list of browsers used on our site, less than 
%2 are more than 4 months behind the current rev of their browser, so I 
don't see that as a huge issue.  However the above statement implies that a 
server can negotiate which type of authentication can be used:

S: Here's a challenge.  Encrypt it.
C: Huh?  
S: oh, nevermind.  Send me your uuencoded password.
C: okay, here goes....

...which doesn't seem to be in the specs anywhere.  I'd prefer not to 
have two separate URL's for different authentication schemes, though I 
could hack around that by keeping around a list of browsers implementing 
challenge-response.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/

Received on Monday, 9 January 1995 12:36:23 UTC