[owasp-intrinsic-security] HTTP Authentication

Jim Manico jim.manico at aspectsecurity.com
Sun Nov 2 20:49:55 EST 2008

HTTP Basic essentially sends the password in plaintext with each
request. Same with digest, I think.

These 2 standards are just horrible and need to be avoided.

Am I wrong?

- Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Thursday, October 30, 2008 11:35 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] HTTP Authentication

Another area of browser security that could use some help is HTTP
Authentication; specifically, there isn't a straightforward way to
"logout" the user -- that is, tell the browser to stop sending the
authentication header.  In some browsers (all?), you actually have to
quit the browser entirely to do it.

>From the user's perspective, one welcome change would be closing all
windows associated with the site should terminate sending the
authentication header on future visits to the site.

- Bil

owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org

More information about the owasp-intrinsic-security mailing list