The classic mailing list for XML developers

Tei | 1 Feb 2012 12:22

Re: RE: Encoding charset of HTTP Basic Authentication

On 30 January 2012 15:44, David Lee <dlee <at> calldei.com> wrote:
> Were back to the problem that SSL doesn't solve the problem (today)  it was
> originally intended to solve.   But it happens to solve *this* problem (as
> long as you ignore the fact that both ends may be insecure - in which case
> all bets are off).
>
> But yes the crux is that Authentication in pure HTTP is either insecure or
> hard.
> That's just the way it is (as far as I know).
>
> <rant>
> This is why a particular annoyance of mine is the false-sense-of-security of
> CA signed certificates.
> If browsers didn't put up an ugly warning about how scary a self-signed
> certificate was then more people would use SSL and the internet would be
> more secure.
> But if you use plain HTTP you don't get a warning - just insecurity.
> Why is it like this ? My only guess ... "Follow the money ..." ?
>
> </rant>
>

Security conscient people seems to not like this idea, because MITM
attacks are easy with selfsigned certs.

Then recently some rogue certificates where generated, for google and
other domains.   The next time you pay something with Paypal, you
could be using some mitm Iranian server, or perhaps some CIA server.

For two years USA was reading Megavideo CEO emails. So storage is

(Continue reading)

headers

David Lee | 1 Feb 2012 12:50

RE: RE: Encoding charset of HTTP Basic Authentication

===> Tei sez 
Security conscient people seems to not like this idea, because MITM
attacks are easy with selfsigned certs.
<====

Of course its not perfect, practically nothing is.
But my point is using SSL with self-signed certificates is more vastly more secure than using HTTP with
plain text. But the browsers give a Horrendously scary warning if you use SSL with self-signed
certificates and say nothing at all for plain text HTTP (except the lack of a microscopic lock icon).
This leads many (most?) web site developers to just stick to plain HTTP.  Thus decreasing security overall
I simply don't understand that.

-David

----------------------------------------
David A. Lee
dlee <at> calldei.com
http://www.xmlsh.org

_______________________________________________________________________

XML-DEV is a publicly archived, unmoderated list hosted by OASIS
to support XML implementation and development. To minimize
spam in the archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Or unsubscribe: xml-dev-unsubscribe <at> lists.xml.org
subscribe: xml-dev-subscribe <at> lists.xml.org
List archive: http://lists.xml.org/archives/xml-dev/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

(Continue reading)