Colin Guthrie wrote:
I appreciate that https doesn't provide trust by default, but
ultimately that's how Joe Bloggs public has been told to deal with it
look for the padlock etc. etc. to be sure that your session is
secure blah blah.
Yeah. Which is probably because all of the intricacies
On Tue, Feb 17, 2009 at 3:11 AM, Per Jessen p...@computer.org wrote:
Colin Guthrie wrote:
I appreciate that https doesn't provide trust by default, but
ultimately that's how Joe Bloggs public has been told to deal with it
look for the padlock etc. etc. to be sure that your session is
secure
Brilliant. Someone who understood my intentions :) It's not only a good
exercise but also useful. Once done in PHP and various JS frameworks, we
could port it to other languages. Would suggest to support as many as we can
because they all have pros and cons. PHP first tho :) . Maybe just good old
On Feb 16, 2009, at 6:11 AM, German Geek wrote:
Brilliant. Someone who understood my intentions :) It's not only a
good
exercise but also useful. Once done in PHP and various JS
frameworks, we
could port it to other languages. Would suggest to support as many
as we can
because they all
'Twas brillig, and Michael A. Peters at 16/02/09 00:10 did gyre and gimble:
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
hassle of
setting it up?
The whole thing is about trust.
yes there are situations like that but then it could just submit the form
(which would happen anyway) and check the plaintext password like normally
if the other mechanism fails. If people have js turned on it would simply
increase security a little. The crucial part is just the sending of the
well httpus seems like a good idea though. Thats the kind of response i was
hoping for. :-)
Maybe browsers would implement that idea in the future. I like that idea a
lot actually. I mean when you login to your linux server the first time with
openssh, you also have to accept the certificate. In
German Geek wrote:
well httpus seems like a good idea though. Thats the kind of response i was
hoping for. :-)
Maybe browsers would implement that idea in the future. I like that idea a
lot actually. I mean when you login to your linux server the first time with
openssh, you also have to accept
Rene Veerman wrote:
Just for this case, where authentication of the server isn't an issue,
and things like deployment cost are,
i'd like to propose that we on this list look again at securing
login/pass through onewayHash functions, in an otherwise non-ssl
environment.
i hate to be a
Colin Guthrie wrote:
Yeah the cheap CA's are IMO actually a problem.
I (personally) think we should have a new system for this scenario:
http:// = totally insecure
https:// = secure and to a reasonable degree of trust (e.g. no $12.00
certs!)
httpus:// = secure but no aspect of trust.
'Twas brillig, and Per Jessen at 16/02/09 13:49 did gyre and gimble:
Colin Guthrie wrote:
Yeah the cheap CA's are IMO actually a problem.
I (personally) think we should have a new system for this scenario:
http:// = totally insecure
https:// = secure and to a reasonable degree of trust (e.g.
Colin Guthrie wrote:
'Twas brillig, and Per Jessen at 16/02/09 13:49 did gyre and gimble:
Colin Guthrie wrote:
Colin, I think you're mixing apples and oranges here - http(s) was never
meant to provide any indication of trust. Besides, how do you suggest
we distinguish between CAs with no
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if the
system is not backed up by a trust system. If a CA was setup
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if the
system is not backed up by a trust
Just for this case, where authentication of the server isn't an issue,
and things like deployment cost are,
i'd like to propose that we on this list look again at securing
login/pass through onewayHash functions, in an otherwise non-ssl
environment.
i hate to be a critic of the community
15 matches
Mail list logo
