[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

BOOK MD5 authentication

From: Charles Fry <cfry_at_ece.cmu.edu>
Date: 2004-10-01 06:30:59 CEST

First of all, let me thank you for your great book. It is a fantastic
resource, that I have come to greatly appreciate.

That said, your Basic HTTP Authentication section is both incomplete and
misleading. :-o

You say:

"One word of warning: HTTP Basic Auth passwords pass in very nearly
plain-text over the network, and thus are extremely insecure. If you're
worried about password snooping, it may be best to use some sort of SSL
encryption, so that clients authenticate via https:// instead of
http://; at a bare minimum, you can configure Apache to use a
self-signed server certificate."

This would be true, if 'AuthType Basic' were the only available
authentication option. However, [1]mod_auth_digest allows the use of
'AuthType Digest', which "provides a more secure password system than
Basic authentication."

1. http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html

If the only goal is to avoid passing a plaintext paassword over the
netwrok, 'AuthType Digest' is a far simpler solution to HTTPS. In fact,
if I were you I would use AuthType Digest as your primary example,
perhaps mentioning in passing that it is also possible to be less
secure.

Thanks again for all the work that you have put into an excellent
version control system and reference.

Charles 

-- 
Cheer up face
The war is past
The "h" is out
Of shave
At last
Burma-Shave
http://frogcircus.org/burmashave/1930/cheer_up_face
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Oct 1 06:36:36 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.