On Wed, Sep 14, 2005 at 05:41:35AM +0200, Gerald Richter wrote: > > Of course, Basic Authentication is evil, and should only be > > used for toy projects (since it doesn't scale) over HTTPS. > > I see that, since password is transmitted in clear text, it is a security > problem in http, but where is the problem with https?
The problem is that the password is still transmitted in the clear on every request. If I can somehow sniff packets on your host I get lots of opportunities to steal your credentials; if I can get a hostile embperl page or cgi within the same Auth Realm on your webserver I can do the same. Authentication should be once only per-session and/or it shouldn't use cleartext passwords. The scalability thing is also significant, since is every request for every resource (which often means css, images, etc., not just html pages) is authorised. And typically the authorisation is non-trival (e.g. a linear scan through an htpasswd file, proportional to the number of users you have), rather than something fast like a ticket checksum. Cheers, Gavin -- Open Fusion P/L - Open Source Business Solutions [ Linux - Perl - Apache ] ph: +612 9875 5032 fax: +612 9875 4317 web: http://www.openfusion.com.au mob: +61 403 171712 - Fashion is a variable, but style is a constant - Programming Perl --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
