Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Nick Sabalausky
SeeWebsiteToContactMe at semitwist.com
Sat Apr 12 19:37:08 PDT 2014
On 4/12/2014 10:02 PM, Adam D. Ruppe wrote:
> On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote:
>> Never storing or transmitting password in plain text is not only
>> basic, obvious and to be expected, but it is THE most basic, obvious
>> and to-be-expected principle that exists in computer security.
>
> ... and it is also the most common way passwords are sent in internet
> protocols.
>
> * SMTP and HTTP will base64 encode it with their basic auth but that's it
>
> * web sites typically transmit it completely open
>
>
> There's SSL now that gets more traction, but if you expect a password
> NOT to be sent in something trivially converted to plain text, wake up
> an smell the RFC.
Well yea, internet protocols tend to use SSL/TLS *as* the password
encryption. I think that's fine and good as long as SSL/TLS is actually
used, especially since it means the rest of the data is automatically
encrypted too, not just the password. It's also nice because it means
the various protocols don't have to reinvent their own counterpart to
SSL/TLS and risk doing so poorly. People know plain-text-password
protocols require an encrypted tunnel, but a broken poorly-designed
protocol-specific password encryption scheme is more easily mistaken as
a suitable substitute for SSL/TLS.
More information about the Digitalmars-d
mailing list