Re: Digest Authentication, Netscape, and Microsoft from nemo/Joel N. Weber II on 1997-04-15 (ietf-http-wg@w3.org from April to June 1997)

From: nemo/Joel N. Weber II <devnull@gnu.ai.mit.edu>
Date: Mon, 14 Apr 1997 23:29:05 -0400 (EDT)
To: lawrence@agranat.com
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <199704150329.XAA09718@duality.gnu.ai.mit.edu>

   Date: Mon, 14 Apr 1997 21:08:31 -0400
   From: "Scott Lawrence" <lawrence@agranat.com>

     For those who missed the IAB report on security issues, the first
     thing on their list of 'things to be killed asap' was 'sending
     passwords in clear'.

     I believe that Basic authentication falls in this category.

     I'd like to extend the question to other browser vendors.

Project GNU doesn't exactly count as a `vendor'; nor am I really
an official representive.

However, we internally use very little security, and 99.9% of the
time that works fine.  The fact that my passwords get sent cleartext
across the net doesn't really bother me.

It's true that I wouldn't send credit card information cleartext; but
most information I have stored in my accounts isn't really that
important to me.  I'm not paranoid about protecting it anyway.

As a practical matter, it's a huge inconvinience to me when I'm not
root.  Many other contributors to GNU feel that way, and I think
that has something to with our decisions to configure our machines
in a less than paranoid way.

GNU doesn't really have any competiors per se.  It's true that the
NetBSD people tend to reimplement everything GNU does in order to
remove restrictions related to proprietary derivatives; and it's
true that those who write proprietary software are competitors
in a way.  But I would be quite happy if Netscape or Microsoft
decided to use some of the code from E-scape, as long as they
follow the conditions of the GNU General Public License.

Another thing: I hate firewalls.  It's ridiculous spending hours
to get a workstation to print, just because the printer is behind
a firewall, and the workstation is outside.

Especially when there aren't any other machines running any IP
server software behind that firewall.

However, having said that, if someone adds additional capabilities
to my browser, and it's clear that there are no legal problems, I'll
be happy to merge password encryption code.

(And it will only take one competent user living in the right
country to get those capabilities.)

However, much as the basic authentication scheme has problems, doesn't
SSL solve all those problems?

Received on Monday, 14 April 1997 20:30:57 UTC