On Thu, 17 Jan 2013 22:38:32 +0100, Casper Bang <[email protected]>
wrote:
HTTPS can prevent man-in-the-middle attacks, but it can not in any way be
used to guarantee that your entered credentials is not logged or stored
improperly at the receiving end. My point is that, as long as everyone
agrees about the algorithms, whether you do hash(password) on the server
or
hash(hash(password)) split between the client and the server, is
irrelevant
in practice... but only the latter mechanism guarantees that
no clear-text password ever enters the remote system. This could be build
into HTTP (added to RFC).
In the end, it wouldn't be better to build web systems that only accept
client SSL certificates instead of passwords?
--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - [email protected]
--
You received this message because you are subscribed to the Google Groups "Java
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
