Eric from Spyglass posted to www-talk a proposal for using MD5 encryption
in a system like this a few weeks ago - it looked solid, and I'm waiting
for a server and a browser to implement it (WN and Arena maybe?) so I can
set it up for HotWired.
> The reason I believed this was that real security is to expensive to
> develop to give away (and it almost always requires a license of some
> kind...).
Only until 1997! :)
> This message is a call to eliminate passwords-in-the-clear from HTTP.
> This means the browser developers should implement something like the
> spyglass proposal (it looks like a few hours more work to upgrade to
> this from the existing basic auth. scheme), and subscription-based
> information providers should _strongly_ encourage their user base to
> upgrade. Something like:
>
> "Please upgrade to a browser that doesn't send passwords in
> the clear (such as... links to recommended browsers.). In 6
> months, we will not be accepting Basic authentication."
>From a quick glance at the list of browsers used on our site, less than
%2 are more than 4 months behind the current rev of their browser, so I
don't see that as a huge issue. However the above statement implies that a
server can negotiate which type of authentication can be used:
S: Here's a challenge. Encrypt it.
C: Huh?
S: oh, nevermind. Send me your uuencoded password.
C: okay, here goes....
..which doesn't seem to be in the specs anywhere. I'd prefer not to
have two separate URL's for different authentication schemes, though I
could hack around that by keeping around a list of browsers implementing
challenge-response.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/