- From: Roger Hågensen <rescator@emsai.net>
- Date: Sat, 18 Oct 2014 19:14:03 +0200
- To: whatwg@lists.whatwg.org
On 2014-10-17 17:09, Nils Dagsson Moskopp wrote: > Roger Hågensen <rescator@emsai.net> writes: > >> Also http logins with plaintext transmission of passwords/passphrases >> need to go away, and is a pet peeve of mine, I detest Basic >> HTTP-Authentication which is plaintext. > Note that Basic Auth + HTTPS provides reliable transport security. This precludes that a site has a certificate, and depite someone like StartSSL giving them out free, sites and forums still do not use HTTPS. Also, Basic Auth is also plaintext so the server is not Zero Knowledge. > >> Hashing the password (or passphrase) in the client is the right way to >> go, but currently javascript is needed to make that possible. > Do you know about HTTP digest authentication? > <http://en.wikipedia.org/wiki/Digest_access_authentication> > Yes, and it's why I said "Basic HTTP Authentication", Digest is the better method of HTTP Authentication. And I know that very well and it's very underdeveloped, there is no logout possible (you stay logged in until the browser session is ended by the user), and styling the login is not possible and it's not as easy to implement with AJAX methods. -- Roger "Rescator" Hågensen. Freelancer - http://www.EmSai.net/
Received on Saturday, 18 October 2014 17:54:31 UTC