- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Wed, 26 Nov 2008 00:38:22 -0000
On Tue, 25 Nov 2008 05:26:47 -0000, Ian Hickson <ian at hixie.ch> wrote: >> http://www.w3.org/TR/1999/NOTE-authentform-19990203 [...] > I don't really understand what problem the above solves that isn't solved > better by SSL. I agree that if real security is desired, SSL is the only way to go. However given that most login forms on the web send passwords in the clear, other problems were more important than security. Form + Digest avoids these SSL problems: * Does not negatively impact performance. In TLS handshake lots of messages are going back and forth, so this can't be fixed by beefing up servers' CPUs. * Does not need access to server's configuration, and generation, installation and renewal of certificates. Redistributable software can support it out of the box, on almost any server, without manual installation steps. Additionally, it's better than new "WWW-Authenticate: HTML" authentication mechanism: * It's compatible with existing non-HTML HTTP clients. * Although its security is weak compared to SSL, it's a step up from forms + cookies. * It's easier to sell: "It will allow bots to log in" doesn't sound very desirable. "It will protect your users' passwords against passive eavesdropping" sounds better. I don't think "WWW-Authenticate: HTML" is a significant improvement. It doesn't offer anything to existing websites/browsers. It's primarily targetted for non-browser UAs, but it's not compatible with them. If UAs are required to parse HTML, they could as well look for form with a single password field. -- regards, Kornel Lesinski
Received on Tuesday, 25 November 2008 16:38:22 UTC