Re: No More Passwords In The Clear in HTTP!

On Mon, 9 Jan 1995, Daniel W. Connolly wrote:
> Why is this nifty proposal tucked away in a corner? Why didn't I hear
> about it before now? I thought I was pretty tuned in to this sort of
> thing...

Eric from Spyglass posted to www-talk a proposal for using MD5 encryption 
in a system like this a few weeks ago - it looked solid, and I'm waiting 
for a server and a browser to implement it (WN and Arena maybe?) so I can 
set it up for HotWired.

> The reason I believed this was that real security is to expensive to
> develop to give away (and it almost always requires a license of some
> kind...).

Only until 1997!  :)

> This message is a call to eliminate passwords-in-the-clear from HTTP.
> This means the browser developers should implement something like the
> spyglass proposal (it looks like a few hours more work to upgrade to
> this from the existing basic auth. scheme), and subscription-based
> information providers should _strongly_ encourage their user base to
> upgrade. Something like:
> 	"Please upgrade to a browser that doesn't send passwords in
> 	the clear (such as... links to recommended browsers.). In 6
> 	months, we will not be accepting Basic authentication."

>From a quick glance at the list of browsers used on our site, less than 
%2 are more than 4 months behind the current rev of their browser, so I 
don't see that as a huge issue.  However the above statement implies that a 
server can negotiate which type of authentication can be used:

S: Here's a challenge.  Encrypt it.
C: Huh?  
S: oh, nevermind.  Send me your uuencoded password.
C: okay, here goes....

...which doesn't seem to be in the specs anywhere.  I'd prefer not to 
have two separate URL's for different authentication schemes, though I 
could hack around that by keeping around a list of browsers implementing 



Received on Monday, 9 January 1995 12:36:23 UTC