[4550] in WWW Security List Archive
Re: Basic Authentication
daemon@ATHENA.MIT.EDU (Albert Lunde)
Fri Feb 21 04:02:12 1997
To: www-security@ns2.rutgers.edu
Date: Fri, 21 Feb 1997 00:52:10 -0600 (CST)
In-Reply-To: <Pine.GSO.3.95.970220151354.11257e-100000@thebrain.aa.ans.net> from "Brian W. Spolarich" at Feb 20, 97 03:34:09 pm
Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)
From: Albert-Lunde@nwu.edu (Albert Lunde)
Errors-To: owner-www-security@ns2.rutgers.edu
> That's quite true, and a Known Problem for HTTP/1.0. The data is sent
> Base64-encoded, but certainly not encrypted, and snoopable. But no more
> or less snoopable than much of the authentication that's done out there.
>
> There's support in HTTP/1.1 [RFC2068] for MD5-based digest
> authentication [RFC2069], which does not transmit the password in the
> clear. I'm not aware of any publicly-available servers and clients which
> do this, though. There's also the choice of doing Basic authentication
> over an SSL-encrypted session, which is safe from eavesdropping, and is
> currently implementable.
Digest authentication is also ITAR compatible ;)
Apache and John Frank's wn server do digest authentication.
I _think_ John and someone at Spyglass had the first early implementions
during protocol development, and I recall someone commenting on how
it had missed being in a particular commercial client thru
caution over a change in the spec (a largely backward-compatible
option to support other digest functions.)
(The authors are a bit of a who's who for various organizations.)
http://hopf.math.nwu.edu/digestauth2/
has the code and a test link, if you want to test clients.
--
Albert Lunde Albert-Lunde@nwu.edu
