On Thu, 22 Oct 2020 22:07:37 +0200 José Miguel Sánchez García <[email protected]> wrote:
Dear José, > I had HTTP basic and digest auth in mind. They both can be implemented > pretty easily without adding external dependencies and with a > reasonable amount of code. Everything more advanced is straight out of > scope for quark. > Thanks for suggesting basic! I wasn't sure about it, as it's pretty > insecure nowadays. But I acknowledge that, for quark's use cases, it > is perfectly reasonable. I agree with Hiltjo that Basic-authentication is the way to go. The reason is that without TLS, you can, as an evildoer, do whatever you want with a connection, and trying to "fix" it in a half-assed way doesn't work. The only way to fix it is using TLS, encapsulating the entire stream. Encryption, tamper-proofing, etc. are then handled by it one layer above in a much better way than all these pseudo-secure more complex authentication methods. With best regards Laslo
