[Moin-user] HTTP AUTHENTICATION security
Thomas Waldmann
tw-public at gmx.de
Thu Feb 16 08:50:05 EST 2006
> Trouble is, I'm not using SSL. As far as I can see this means that
> passwords will be transmitted in cleartext from the browser to the
> server, which is a terrible security hole. Am I correct in this?
For "http basic auth" this is correct.
For "http digest auth" it is at least transmitted as MD5(password).
Google finds e.g. this:
http://www.caucho.com/resin-3.0/security/digest.xtp
> is there nothing to be done about this except use SSL?
Guess why everybody wanting a REALLY secure login does it by https. :)
More information about the Moin-user
mailing list