httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Patch to allow use of password file as auth DB (from USENET)
Date Mon, 08 May 1995 10:35:18 GMT
   Date: Mon, 08 May 1995 01:23:06 -0700
   From: "Roy T. Fielding" <fielding@avron.ics.uci.edu>

   Ummmm, just to pick a little nit, this is a really bad idea from
   the point of security.  The Basic AA is bad enough, but to encourage
   users to pass their real system passwords through HTTP en claire is
   quite irresponsible.

Hmmm... just as a reality check, support for encrypted rlogin, telnet
and ftp is hardly universal yet, so many sites are still sending
passwords 'en claire' through those rather more prominent protocols.
On the other hand, I suppose I can see the point to keeping out a
feature which makes the problem worse...

rst

Mime
View raw message