Re: [Gnu-arch-users] Re: WebDAV

[Andrew Suffield]

On Fri, Apr 09, 2004 at 08:26:36PM +0100, Robin Green wrote:
> On Fri, Apr 09, 2004 at 02:00:37PM -0400, Eric S. Johansson wrote:
> > OK, this looks fairly simple.  In its raw form it's probably read/write 
> > without authentication from your comments about .htaccess.  first 
> > question: how can we make it more failsafe to prevent unintended 
> > unrestricted write access?  Second,  what authentication systems can we 
> > use that aren't so fragile as HTTP basic authentication?
> 
> HTML forms or whatever you want, over HTTPS?
> 
> But then, unless you pay a well-known CA, you have the "man in the middle
> stealing your password using a fake certificate" vulnerability, which is
> why it's better to use sftp IMO.

The well-known CAs are so insecure that they're laughable. If you want
something approximating real security for your session, you're going
to have to verify the key in some other fashion (simple way is to
check the fingerprint by hand, like you do with ssh).

SSL on the internet at large is nothing more than a comfort blanket;
it doesn't add any significant security in its conventional uses.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

signature.asc
Description: Digital signature