RE: Logout

>-----Original Message-----
>From: Scott Lawrence []
>Sent: Monday, 8 January 2001 18:33
>To: Joris Dobbelsteen
>Cc: WWW WG (E-mail)
>Subject: Re: Logout
>Joris Dobbelsteen wrote:
>> Basic is completely insecure. Digest has some security hazards:
>> Server sends a 'key' to use with hashing. When the same 
>'key' is used,
>> the hashed password captured can be reused.
>> Also doesn't digest authentication (nor basic authentication) provide
>> data integrity.
>Actually, the Digest spec provides a content integrity mechanism 
>(qop=auth-int).  It does not protect most of the header information 
>(because of compatibility problems with proxies), but does protect 
>and authenticate the message body by including a hash of the message 
>body as an input to the response hash.
Wasn't aware of the hash included of the message body.

>As for alternative schemes that provide better security without 
>SSL/TLS, there was a very good spec "The Secure HyperText Transfer 
>Protocol" that just didn't get any traction with implementors:
I will read RFC2660....

- Joris

Received on Monday, 8 January 2001 10:10:07 UTC