Cart
[Home] [By Thread] [By Date] [Recent Entries]
> > password over the wire. It's worse because
>
> Arrgh!
See what happened -- I stopped typing to let my brain catch up, and it
never did.... :)
Digest is worse because it never spec'd anything other than MD5, although
it allowed "space" in the protocol for it. (SHA was published a
half-dozen years before.) Unless the browser serializes requests (i.e.,
one image at a time), full integrity protection with digest usually [not
always, see the last part of section 3.2.3 of RFC 2617 and sec 4.5 on
replay] doubles the number of HTTP messages. At that point, you might as
well give up and use SSL/TLS, and once you've done that, the temptation to
use basic-auth (but mom, everybody else does) is too generally too great
to resist.
/r$
--
STSM, WebSphere Appliance Architect
https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] |
