[Cryptography] Basic auth a bit too basic

William Allen Simpson william.allen.simpson at gmail.com
Wed Feb 10 04:48:37 EST 2016


On 2/6/16 2:50 AM, Peter Gutmann wrote:
# Someone just pointed out an interesting problem with HTTP basic auth,
# published in 1999 as RFC 2617 and updated 15 years later as RFC 7617:

On 2/8/16 11:54 AM, Phillip Hallam-Baker wrote:
> At the time, all IETF specs used password in the clear for
> authentication except for Kerberos.
>
Or PPP CHAP (circa 1991).  Or swIPe cum IPsec (circa 1992-1993).
Or Photuris (circa 1994-1995).

Sadly, the HTTP folks refused to learn from earlier efforts.  I've
always ascribed it to self-censorship in fear of large government
agencies.  Or actual pressure.  And as we now know, payoffs.


More information about the cryptography mailing list