[Moin-user] HTTP AUTHENTICATION security

Nigel Metheringham nigel.metheringham at dev.intechnology.co.uk
Thu Feb 16 09:06:06 EST 2006


On Thu, 2006-02-16 at 17:49 +0100, Thomas Waldmann wrote:
> > Trouble is, I'm not using SSL.  As far as I can see this means that 
> > passwords will be transmitted in cleartext from the browser to the 
> > server, which is a terrible security hole.  Am I correct in this?
> 
> For "http basic auth" this is correct.
> 
> For "http digest auth" it is at least transmitted as MD5(password).

I decided to ignore that in my answer because it needs either a
specially prepared password store or the ability to get at clear text
passwords on the server end - which is definitely not the case when you
are dealing with standard system password stores.

	Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]






More information about the Moin-user mailing list