- From: Robert Siemer <Robert.Siemer-httpwg@backsla.sh>
- Date: Sat, 15 Mar 2008 22:15:16 +0100
- To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
- Cc: ietf-http-wg@w3.org
On Thu, Mar 13, 2008 at 11:09:03PM -0400, Stephane Bortzmeyer wrote: > TLS, besides its use for client and/or server authentication, is also > very commonly used to protect the confidentiality and integrity of the > HTTP session. For instance, both HTTP Basic authentication and Cookies > are often protected against snooping by TLS. > > It should be noted that, in that case, TLS does not protect against a > breach of the credential store at the server or against a keylogger or > phishing interface at the client. TLS does not change the fact that > Basic Authentication passwords are reusable and does not address that > weakness. > TLS does not address the security of the client certificate either (which can be stolen/copied from the client and is reusable...) But yes, there are better means to avoid that compared to passwords only (e.g. chipcards). Robert
Received on Saturday, 15 March 2008 21:14:36 UTC