Re: No More Passwords In The Clear in HTTP!

Brian Behlendorf (brian@wired.com)
Mon, 9 Jan 1995 12:24:07 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brian Behlendorf: "Re: No More Passwords In The Clear in HTTP!"
Previous message: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
In reply to: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
Next in thread: Brian Behlendorf: "Re: No More Passwords In The Clear in HTTP!"

On Mon, 9 Jan 1995, Daniel W. Connolly wrote:
> Why is this nifty proposal tucked away in a corner? Why didn't I hear
> about it before now? I thought I was pretty tuned in to this sort of
> thing...

Eric from Spyglass posted to www-talk a proposal for using MD5 encryption 
in a system like this a few weeks ago - it looked solid, and I'm waiting 
for a server and a browser to implement it (WN and Arena maybe?) so I can 
set it up for HotWired.

> The reason I believed this was that real security is to expensive to
> develop to give away (and it almost always requires a license of some
> kind...).

Only until 1997!  :)

> This message is a call to eliminate passwords-in-the-clear from HTTP.
> This means the browser developers should implement something like the
> spyglass proposal (it looks like a few hours more work to upgrade to
> this from the existing basic auth. scheme), and subscription-based
> information providers should _strongly_ encourage their user base to
> upgrade. Something like:
> 
> 	"Please upgrade to a browser that doesn't send passwords in
> 	the clear (such as... links to recommended browsers.). In 6
> 	months, we will not be accepting Basic authentication."

Next message: Brian Behlendorf: "Re: No More Passwords In The Clear in HTTP!"
Previous message: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
In reply to: Daniel W. Connolly: "No More Passwords In The Clear in HTTP!"
Next in thread: Brian Behlendorf: "Re: No More Passwords In The Clear in HTTP!"