[Cryptography] Basic auth a bit too basic
William Allen Simpson
william.allen.simpson at gmail.com
Wed Feb 10 04:48:37 EST 2016
On 2/6/16 2:50 AM, Peter Gutmann wrote:
# Someone just pointed out an interesting problem with HTTP basic auth,
# published in 1999 as RFC 2617 and updated 15 years later as RFC 7617:
On 2/8/16 11:54 AM, Phillip Hallam-Baker wrote:
> At the time, all IETF specs used password in the clear for
> authentication except for Kerberos.
>
Or PPP CHAP (circa 1991). Or swIPe cum IPsec (circa 1992-1993).
Or Photuris (circa 1994-1995).
Sadly, the HTTP folks refused to learn from earlier efforts. I've
always ascribed it to self-censorship in fear of large government
agencies. Or actual pressure. And as we now know, payoffs.
More information about the cryptography
mailing list