Re: No More Passwords In The Clear in HTTP!

Jon E. Mittelhauser (jonm@mcom.com)
Tue, 10 Jan 1995 03:46:20 +0100

At 01:06 AM 1/10/95 +0100, Daniel W. Connolly wrote:

>This was something of an eye-opener. It's so simple. We should have
>been doing this all along. There was never any reason to send
>passwords in the clear (well, uuencoded), given HTTP's two-round-trip
>authentication mechanism.
>
>Why is this nifty proposal tucked away in a corner? Why didn't I hear
>about it before now? I thought I was pretty tuned in to this sort of
>thing...

This proposal utilizes RSA MD5 encryption. If you have this
capability, why not go all the way to SSL (or SHTTP)? It would
make much more sense.

>For the longest time, I was under the impression that the web user
>base would have two choices:
>
> 1. Use a free browser, and access only public information, or
> send your password essentially in the clear to subscribe to
> for-pay info.
>
> 2. Use a commercial browser that supports the security
> options (SHTTP, SSL, kerberos...) supported by the services
> you use.
>
>The reason I believed this was that real security is to expensive to
>develop to give away (and it almost always requires a license of some
>kind...).

I don't see how this proposal fixes this problem. It requires MD5 which
will require a license from RSA. How does this not fall into your class
2 space? As long as I am in that space, I would much prefer a protocol
which has been widely adopted by the financial community (e.g. SSL).

-Jon