- From: Fisher Mark <FisherM@is3.indy.tce.com>
- Date: Tue, 27 Aug 96 13:09:00 PDT
- To: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Phillip Hallam-Baker writes in <9608271501.AA01051@vesuvius.ai.mit.edu>: >Dave Morris describes HTTP application 99.9% certain to be on single >machine... > > >I don't think that this is a convincing argument. The concern is >to stop the password in the clear problem ASAP. There has been >remarkably little progress on the part of the vendors here and >a SHOULD is not going to improve progress Undoubtedly, there will be a very small minority of applications where passwords in the clear are not a serious problem. But this is such a small fraction of the HTTP applications as to be negligible. In my experience, applications have long lives with tortuous paths from their start point to their end -- witness the 1401 Autocoder payroll system I knew of running 10 or so years after IBM discontinued making the 1401. Dave, IMHO it is dangerous to assume that this application will forever and ever not be subject to someone, somewhere, wanting to break security on it -- if not on its current platform, then on the next platform, or the next... If the data is worth protecting, it is likely that the data security is worth cracking. If an HTTP 1.1 server supports Basic, they MUST support Digest. This is the only way to eventually eliminate passwords in the clear. ====================================================================== Mark Leighton Fisher Thomson Consumer Electronics fisherm@indy.tce.com Indianapolis, IN
Received on Tuesday, 27 August 1996 11:20:18 UTC