Re: No More Passwords In The Clear in HTTP!

Brian Behlendorf (
Tue, 10 Jan 1995 01:19:24 +0100

On Mon, 9 Jan 1995, Daniel W. Connolly wrote:
> Why is this nifty proposal tucked away in a corner? Why didn't I hear
> about it before now? I thought I was pretty tuned in to this sort of
> thing...

Eric from Spyglass posted to www-talk a proposal for using MD5 encryption
in a system like this a few weeks ago - it looked solid, and I'm waiting
for a server and a browser to implement it (WN and Arena maybe?) so I can
set it up for HotWired.

> The reason I believed this was that real security is to expensive to
> develop to give away (and it almost always requires a license of some
> kind...).

Only until 1997! :)

> This message is a call to eliminate passwords-in-the-clear from HTTP.
> This means the browser developers should implement something like the
> spyglass proposal (it looks like a few hours more work to upgrade to
> this from the existing basic auth. scheme), and subscription-based
> information providers should _strongly_ encourage their user base to
> upgrade. Something like:
> "Please upgrade to a browser that doesn't send passwords in
> the clear (such as... links to recommended browsers.). In 6
> months, we will not be accepting Basic authentication."

>From a quick glance at the list of browsers used on our site, less than
%2 are more than 4 months behind the current rev of their browser, so I
don't see that as a huge issue. However the above statement implies that a
server can negotiate which type of authentication can be used:

S: Here's a challenge. Encrypt it.
C: Huh?
S: oh, nevermind. Send me your uuencoded password.
C: okay, here goes....

..which doesn't seem to be in the specs anywhere. I'd prefer not to
have two separate URL's for different authentication schemes, though I
could hack around that by keeping around a list of browsers implementing