At 12:04 PM +0000 12/31/10, Nathan Rixham wrote:
Tamara Temple wrote:
Sorry, I was mislead by your use of the phrase "Users should not be copy-pasting passwords or usernames" above. I'd love to hear what you think is an alternative to identifying with web app that keeps track of information about someone that is more secure.

client side ssl certificates, they force http+tls (thus encryption over the wire and no chance of middleman attacks) and no usernames or passwords need to be passed, as you identify people by the public key held in their certificate, the TLS process ensures they have the private key.


I was wondering when you would chime-in.

The certificate example you provided me a few months ago was exceptional. I now believe that server-side data can be kept reasonably secure regardless of successful attacks on the server.




PHP General Mailing List (
To unsubscribe, visit:

Reply via email to