[4548] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (David Tauzell)
Fri Feb 21 01:45:23 1997
Date: Thu, 20 Feb 1997 21:50:23 -0600 (CST)
From: David Tauzell <tauzell@math.umn.edu>
To: Aaron Abelard <aarona@iquest.net>
cc: Jim Harmon <jim@telecnnct.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SV4.3.91.970220084052.24549E-100000@iquest4>
Errors-To: owner-www-security@ns2.rutgers.edu
^
>
> Here's something very on topic for www-security. According to the HTTP/1.0
> specification (http://www.ics.uci.edu/pub/ietf/http/rfc1945.html#AA) the
> username and password used in Basic Authentication is sent as clear
> text. Does this not allow for the possibility of the information being
> snooped? Also, are there any authentication schemes in use other than
> Basic?
>
Message Digest authentication encrypts the username and password. The
only problem is that no browser that I know of supports it.
> Its one thing to have someone circumvent your security to download free
> nudies. To have them rooting through your confidential and proprietary
> corporate information is another thing altogether.
>
This is the case with most of the UNIX remote programs such as ftp,
telnet, rsh, rcp ...
---
David Tauzell. I like unix.
