> How do you trust it is not going to send your password somewhere ?
> How do you trust another bug in the browser will not allow another "tab"
> top read the memory of the browser including your password or TGT ?
> other should not come in contact, IMO.
Clearly there are potential problems. The question is, are they bigger problems
than sending your password across the net? The first two questions are not
prompt, particularly those technologies which redirect browsers all over the
internet. The last one is common to any session token you might have after
authenticating. These are all high-visibility, well exercised regions of code
which should get fixed quickly when a problem is detected.
How do you know openssl doesn't have another heartbleed bug in it?
Relevant question are: Given that a http basic auth challenge and the Kerberos
there a benefit to sending Kerberos exchanges instead of your password? Would
implementing this strategy help reduce the number of websites which require
their own user database, reducing user's exposure to ill-managed systems? (and
if we assume they use the same password in more than one place: reduce the
system manager's exposure to having someone else's compromised system plague my
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project