• To: Rich Salz <rsalz@d...>
• Subject: RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• From: Elliotte Rusty Harold <elharo@m...>
• Date: Tue, 6 Jan 2004 09:11:13 -0500
• Cc: XML-DEV <xml-dev@l...>
• In-reply-to: <Pine.LNX.4.44L0.0401052326150.4127-100000@s...>
• References: <Pine.LNX.4.44L0.0401052326150.4127-100000@s...>

At 11:32 PM -0500 1/5/04, Rich Salz wrote:

>Then my requirement of limited exposure isn't met.  Even worse, if *any*
>packet is stolen, then my password is exposed.  The only way to prevent
>this is to use SSL for all traffic, which is not always a feasible,
>or even reasonable, trade-off.
>

What you state is only true for the basic authentication scheme. 
Modern browsers and servers support digest authentication which 
securely transmits an encrypted password even over a plain HTTP 
connection. Only the password need be encrypted if the rest of the 
data isn't sensitive, so unnecessary cost is paid. This is described 
in RFC 2617 ftp://ftp.isi.edu/in-notes/rfc2617.txt
-- 

   Elliotte Rusty Harold
   elharo@m...
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml            
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA 

• Follow-Ups:
  • Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Rich Salz <rsalz@d...>

• References:
  • RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
    • From: Rich Salz <rsalz@d...>

• Prev by Date: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Next by Date: Re: Another mutated variant of the 'PowerPoint makes youdumb' story
• Previous by thread: RE: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Next by thread: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation
• Index(es):
  • Date
  • Thread