Mike Meyer <[EMAIL PROTECTED]> writes: > Only if the userid and password are part of the content. If you're > doing the usual form-based authentication, then they are. If you're > doing an HTTP-based authentication, then they aren't - the > authentication information is in the headers, and can be protected > however the protocol designers want it to be.
Well, HTTP Basic and HTTP Digest authentication both send the userid in the clear. Basic also sends the password in the clear, while Digest sends a hash of the (salted) password in the clear. Digest is better than Basic, but since the attacker can see both the salt and the password hash, he can still run a dictionary attack. Therefore, using form-based authentication over SSL is more secure than using HTTP Digest without SSL. (Special tip from Paranoid Pete: have the downloaded page include some javascript that inserts some padding chars into a hidden form field, making the form post have constant length and thereby prevent leaking the password length). > Most of the people building systems that require passwords on the web > are too ignorant of security issues for me to trust anything crucial > to them. I don't bank online, because the banking systems I've looked > at don't meet *my* minimal requirements for security. Worse than that, the user agreements typically make security failures the customer's problem even if they're the bank's fault. > Back when I was dealing with this on a regular basis, the major > browser and server vendors were all pushing encrypted session > mechanisms of various kinds. Given that, a secure authentication > mechanism is a waste of time, and would provide competition for their > product in some application domains. So those vendors typically didn't > implement digest authentication. This sucked if you were exchanging > content that didn't need security, but wanted to authenticate > identity. I don't have the impression that it was that nefarious. It took a while for the standards for both encryption and digest authentication to settle. By the time digest authentication was ready for prime time, SSL was also widely deployed, and anyone doing anything serious used SSL. So digest authentication was simply not needed. -- http://mail.python.org/mailman/listinfo/python-list
