This is a digression, but it touches on an important question that others are asking in response to this general push [1].
Fundamentally, better client authentication doesn't do anything to help make the web a more secure place (in any of the dimensions that we're primarily concerned about in this thread, anyway). They can actually make things worse by creating more ways of tracking users. On Fri, Apr 24, 2015 at 3:28 PM, Roger Hågensen <skuldw...@gmail.com> wrote: > How about HTTP/2 ? > Also a lot of smart minds completely ignored HTTP Digest Authentication for > years, allowing Basic (plain text) password to be sent when login in on sites. The problems with both digest and basic are primarily poor UX. This is well-known. From a security perspective, both are pretty poor, but since the UX was so poor they weren't used that much. Consequently, they were neglected. HTTP APIs have been used more in recent years, so we're seeing more demand for better mechanisms that are native to the protocol. OAuth is one such thing. And new authentication methods are being developed in the httpauth working group in the IETF [2]. Participation is open there, feel free to sign up. You can also look into essentially proprietary systems like hawk [3], which Mozilla services have decided they quite like. > HTTP/2 could be extended to improve the way HTTP Digest Authentication works, > adding a HMAC(PSWD+SALT) + Challenge(NONCE) = Response(HASH) method. HTTP/2 is not the place for authentication improvements. We specifically removed the mechanism Google invented for SPDY early in the HTTP/2 process for that reason (and others). The mechanisms cited above all work perfectly well with HTTP/1.1, and that's still considered an important property. [1] http://www.w3.org/DesignIssues/Security-ClientCerts.html [2] https://tools.ietf.org/wg/httpauth [3] https://github.com/hueniverse/hawk _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
