passwords to CGI

[Paul Rubin]

Erik Max Francis <max at alcyone.com> writes:
> > You should stop looking for kludgy workarounds and fix whatever is
> > wrong with POST.  POST is the right way to deal with this type of
> > thing.  Otherwise the password appears not only in the browser but
> > also in the server http log.
> 
> Ultimately the password is flying around the Internet in plaintext. 
> This is simply not acceptable for many applications.  The proper,
> complete solution is HTTP over SSL.

It's ok for some applications but not others.  That's a matter for the
application developer to decide.  Think of how many unencrypted voice
phone calls made every day.  Those are also vulnerable to (legal or
illegal) wiretapping, but most people think phones are secure enough
for most conversations.

> > Alternatively, instead of submitting a password to a cgi, use HTTP
> > Basic authentication.  That lowers your UI flexibility a little bit,
> > but makes the server side programming a little simpler.
> 
> HTTP authentication still has passwords flying around in plaintext,
> however.

If you're using SSL, then it encrypts any HTTP Basic auth passwords
just like it encrypts the other http traffic.

Either way, SSL doesn't solve the problems that result from submitting
passwords with GET instead of POST.