Just learned IIS Basic authentication transmits a users user name and password in Base64 over the internet.
MS recommends you use SSL with it. But, even if you do that, can't you use an ISAPI to silently phish somebody's password? Or even if the dialog comes up, Granma and Granpa will hit okay. Hm. Sorry, I know it's very OT, but I don't want to subscribe to a security list just to make this one observation. Any thoughts? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
