[Moin-user] HTTP AUTHENTICATION security
nigel.metheringham at dev.intechnology.co.uk
Thu Feb 16 09:06:06 EST 2006
On Thu, 2006-02-16 at 17:49 +0100, Thomas Waldmann wrote:
> > Trouble is, I'm not using SSL. As far as I can see this means that
> > passwords will be transmitted in cleartext from the browser to the
> > server, which is a terrible security hole. Am I correct in this?
> For "http basic auth" this is correct.
> For "http digest auth" it is at least transmitted as MD5(password).
I decided to ignore that in my answer because it needs either a
specially prepared password store or the ability to get at clear text
passwords on the server end - which is definitely not the case when you
are dealing with standard system password stores.
[ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
More information about the Moin-user