Re: Idea for securityfix in HTML

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 16 Nov 2002 11:07:43 +0100
"Xatr0z" <xatr0z@home.nl> wrote:

| From: Toby Inkster <tobyink@goddamn.co.uk>
| 
| > b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus
| > the server couldn't decode the information at the other end anyway!
| 
| Yes, but a lot of systems use MD5 hashes in databases, for passwords by
| example.

That is true, but if everybody did what you suggested, we would just be relying on md5(password) to log in instead of password. The md5(password) would be passed in plain text and could be intercepted and used by an attacker. 
 
| > c) Why bother when we already have HTTPS? HTTPS provides security
| infinitely better than all the methods you have suggested.
| 
| I think HTTP should be save.

With a lot of improvements, a cardboard box could be made safe, but for keeping things locked up, people prefer to use proper metal safes. Cardboard boxes and safes are both useful for keeping things in -- but in different ways.

HTTP should be used when security isn't important. HTTPS should be used when security is important.

| > d) HTML is dead, there are no plans to recommend any further versions.
| 
| I personaly think this is a bad idea, HTML is still used a lot on the
| WWW.

There is nothing to stop people using it, but there are no plans to make any new versions after 4.01. All improvements are going into XHTML, which is a more easily extensible format.

- -- 
Toby A Inkster BSc ARCS
PGP:      http://www.goddamn.co.uk/tobyink/node.cgi?id=12
Web Page: http://www.goddamn.co.uk/tobyink/
IM:       AIM:inka80 ICQ:6622880 YIM:tobyink Jabber:tobyink@a-message.de

I just forgot my whole philosophy of life!!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE91j0Hzr+BKGoqfTkRAop7AJ4zZq/mnTAlbIvWVSX9RclkWt92QACggXNE
adp3FVWAusUduhXRlBHhjzc=
=PSOL
-----END PGP SIGNATURE-----

Received on Saturday, 16 November 2002 07:42:39 UTC