- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Sat, 16 Nov 2002 09:50:20 +0000 (GMT)
- To: www-html@w3.org
> A normal HTML form which allows a user to login to a system, could look > like this: The real problem here is that people are not using the security features in HTTP. In band logins in HTML are intrinsically insecure even if you use challenge response techniques as they generally rely on cookies, referer or hidden form fields to protect the internal pages and these all simply return unmodified data to the server. They are done essentially for vanity reasons. (I agree with the other points that this proposal is plain text equivalent. HTTP basic authentication is also plain text equivalent. I don't know enough about the MD5 authentication scheme in HTTP - getting good varying challenges is going to be a problem. HTTPS is the only really secure way of handling passwords.)
Received on Saturday, 16 November 2002 04:50:26 UTC