On 2014-10-17 17:09, Nils Dagsson Moskopp wrote:
Roger Hågensen <resca...@emsai.net> writes:
Also http logins with plaintext transmission of passwords/passphrases
need to go away, and is a pet peeve of mine, I detest Basic
HTTP-Authentication which is plaintext.
Note that Basic Auth + HTTPS provides reliable transport security.
This precludes that a site has a certificate, and depite someone like
StartSSL giving them out free, sites and forums still do not use HTTPS.
Also, Basic Auth is also plaintext so the server is not Zero Knowledge.
Hashing the password (or passphrase) in the client is the right way to
go, but currently javascript is needed to make that possible.
Do you know about HTTP digest authentication?
<http://en.wikipedia.org/wiki/Digest_access_authentication>
Yes, and it's why I said "Basic HTTP Authentication", Digest is the
better method of HTTP Authentication.
And I know that very well and it's very underdeveloped, there is no
logout possible (you stay logged in until the browser session is ended
by the user),
and styling the login is not possible and it's not as easy to implement
with AJAX methods.
--
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/
