- From: John Cowan <cowan@ccil.org>
- Date: Wed, 13 Dec 2006 09:17:09 -0500
- To: Alastair.Green@barclayscapital.com
- Cc: www-tag@w3.org, alastair.green@choreology.com
Alastair.Green@barclayscapital.com scripsit:
> Contrariwise, a ukase against passwords in the clear seems appropriate
> because a) it's a gross and inarguable security violation, and b)
> everyone has the equipment to implement the solution, even when using
> free software. Cost = 0, benefit > 0 => no-brainer.
I continue to disagree. Sometimes passwords in the clear provide
just enough security to be useful without being intrusive, in which
case the benefit of stronger security = 0. And the cost of HTTPS is
still greater than zero: server operators must either pay for
certificates or use self-certification and deal with nervous
customers who worry about unknown-certifier popups in their browsers,
though typical certificates are about as reliable as self-certificates,
that is to say, not at all.
--
Even the best of friends cannot John Cowan
attend each others' funeral. cowan@ccil.org
--Kehlog Albran, The Profit http://www.ccil.org/~cowan
Received on Wednesday, 13 December 2006 14:17:19 UTC