[4527] in WWW Security List Archive
Basic Authentication
daemon@ATHENA.MIT.EDU (Aaron Abelard)
Thu Feb 20 11:03:15 1997
Date: Thu, 20 Feb 1997 08:56:06 -0500 (EST)
From: Aaron Abelard <aarona@iquest.net>
To: Jim Harmon <jim@telecnnct.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <330B7B36.6E9DAAD9@telecnnct.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 19 Feb 1997, Jim Harmon wrote:
>
> I know this is rather petty of an issue, but I have users who are very
> set in how they work. The additional login to access our web server
> would not sit well with most of them, but I can see benefits with that
> in place. Primarily that we're starting to think about letting some
> power users and administrative staff do take-home work.
>
> Authentication is absolutley necessary in that regard, so moving that
> direction in general will probably ease the case for allowing the
> piercing of our access envelope.
>
Here's something very on topic for www-security. According to the HTTP/1.0
specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
username and password used in Basic Authentication is sent as clear
text. Does this not allow for the possibility of the information being
snooped? Also, are there any authentication schemes in use other than
Basic?
Its one thing to have someone circumvent your security to download free
nudies. To have them rooting through your confidential and proprietary
corporate information is another thing altogether.
--
Aaron Abelard / aarona@iquest.net
IQuest Internet / www.iquest.net
Indianapolis, IN / 317.259.5050.301
