Re: New version of Passwords in the Clear

Rice, Ed (ProCurve) scripsit:

> For example, on the news source
> outlined in the post it clear that a news story doesn't need to use
> SHTML but if the user hasn't authenticated it would be easy to redirect
> the user to a login page and I do think that login page should use
> SHTML.  Once the user has authenticated, the content may or may not
> raise to the level of secure content and if not straight HTML in fact
> would be preferable.

I assume s/HTML/HTTP/.  In any case, basic HTTP authentication has no
concept of a "login page"; every request bears the authentication headers
except the first one, which fails with a 403.  My present employer
deploys RSS feeds under basic authentication, for example, where
there would be no way to handle a login page if it did exist.

> So, what John's article doesn't say is 'yeah, I think its ok to pass
> passwords around in clear text' I believe he's saying 'only secure what
> you need to'.. I don't disagree with the latter. (John correct me if
> I've miss-read).

No, I do affirm that passing around passwords in clear text may be good
enough in particular cases, just as signs that say "UNAUTHORIZED PERSONNEL
KEEP OUT" may be enough, or easily-forced pin-tumbler locks, or any
number of other easily defeated technologies.

Some people open all the Windows;       John Cowan
wise wives welcome the spring 
by moving the Unix.           
  --ad for Unix Book Units (U.K.)

Received on Wednesday, 15 November 2006 21:00:31 UTC