Re: Insecure WWW Access Authorization Protocol?

Sarr Blumson <>
Date: Tue, 8 Mar 1994 23:33:36 --100
Message-id: <>
Precedence: bulk
From: Sarr Blumson <>
To: Multiple recipients of list <>
Subject: Re: Insecure WWW Access Authorization Protocol? 
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1156

Tony Sanders says:
  michael shiplett writes:
  > "ts" == Tony Sanders <sanders@BSDI.COM> writes:
  >   The URL is as trustworth as the source of the URL--whether the
  > source is in or out of band.
  If you cannot trust the server reply to get the realm information from
  then why do you think you can trust the URL?  You have exactly the
  same problems as when you started.
I think we're munging two different things here.  Michael is willing to 
trust whoever gave him the URL pointing to, for example,, and believes that has what he wants.  
What he wants the security mechanisms to do for him is guarantee that 
the server he ends up talking to really _is_, and not 
some imposter who has attacked the intervening cable.

I believe this is important because Michael is thinking about using 
forms to put confidential data into his server, so spoofing the server 
is more than just a denial of service.

Sarr Blumson               
voice: +1 313 764 0253               FAX: +1 313 763 4434
CITI, University of Michigan, 519 W William, Ann Arbor, MI 48103-4943