Hi, > On Wed, Sep 14, 2005 at 05:41:35AM +0200, Gerald Richter wrote: > > > Of course, Basic Authentication is evil, and should only > be used for > > > toy projects (since it doesn't scale) over HTTPS. > > > > I see that, since password is transmitted in clear text, it is a > > security problem in http, but where is the problem with https? > > The problem is that the password is still transmitted in the > clear on every request. If I can somehow sniff packets on > your host I get lots of opportunities to steal your > credentials; if I can get a hostile embperl page or cgi > within the same Auth Realm on your webserver I can do the > same. Authentication should be once only per-session and/or > it shouldn't use cleartext passwords. >
Ok, I agree > The scalability thing is also significant, since is every > request for every resource (which often means css, images, > etc., not just html pages) is authorised. And typically the > authorisation is non-trival (e.g. a linear scan through an > htpasswd file, proportional to the number of users you have), > rather than something fast like a ticket checksum. > This depends on your userbase and the way you store passwords. Thanks for the feedback Gerald --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
