On Mon, Apr 27, 2020 at 7:14 AM Michael Thomas <mike@mtcc.com> wrote:
On 4/26/20 8:39 PM, Matt Palmer wrote:
On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
Which exactly zero deployment. And you need to store the plain-text password on the server side. What could possibly go wrong? But you said that *passwords on the wire* were the biggest problem. Digest auth solves that. Also, you don't have to store the plain-text password.
Correct. You need only store the realm/user/password digest. The chief problem with digest authentication is that the web site has no control over the UI. Among the many issues, this makes it tricky to reliably capture a digest in the first place without the server at least briefly knowing the password. I don't know if webauthn corrects this or makes similar blunders.
You clearly know everything, while Steven, Paul, myself and the collective wisdom of w3c know nothing, so I'm out.
Respectfully, if you didn't know that http digest authentication doesn't require server-side password storage, and more importantly don't simply admit it now that you've been informed, how trustworthy can your understanding of web authentication be? I can't speak to Steven, Paul, the w3c or any other non-posters to this thread that you wish to employ in an appeal to authority fallacy but with due respect, I think you hold a myopic view of network security. For better or worse, security is a zero-sum game. The budget stays proportional to the value of the asset being protected. When you spend it on low-impact improvements you don't have it for the many improvements with a higher impact than whether a web site knows the password you chose for that web site. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/