Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
HTTP Security and Privacy
(Page 1 of 2)
There are a number of different protocols
in this Guide where I address security considerations. Usually, I start
out by saying something to the effect that the protocol doesnt
include much in the way of security, because when it was first developed,
the Internet was small and used by a tight-knit group, so security wasnt
a big concern. Today, the Internet is globe-spanning and used by millions
of strangers, making security a big deal indeed, blah blah blah. J
Well, in the case of the World Wide
Web this is true, but the issue is even more important due to the significance
of the changes in the content of what HTTP messages carry.
HTTP has become the vehicle for transporting any and every kind of information,
including a large amount of personal data. HTTP was initially designed
to carry academic documents such as memos about research projects, but
today is more likely to carry someones mortgage application, credit
card details or medical details. Thus, not only does HTTP have the usual
security issues such as preventing unauthorized access, it needs to
deal with privacy concerns as well.
HTTP Authentication Methods
The main HTTP/1.1 standard, RFC 2616,
also does not deal extensively with security matters. These are addressed
in detail instead in the companion document, RFC 2617, which explains
the two methods of HTTP authentication. Highly summarized, they are:
- Basic Authentication: This is a conventional
user/password type of authentication. When a client sends a request
to a server that requires authentication to access a resource, the server
sends a response to the clients initial request that contains
a WWW-Authenticate header. The client then sends a new request
containing the Authorization header, which carries a base64-encoded
username and password combination.
- Digest Authentication: Basic authentication
is not considered strong security because it sends credentials in
the clear, which means that they can be intercepted. Digest authentication
uses the same headers as basic authentication, but employs more sophisticated
techniques, including encryption, that protect against a malicious person
snooping credentials information. Digest authentication
is not considered as strong as public key encryption, but is a lot better
than basic authentication. Its also a darn sight more complicated.
The full details of how it works are in RFC 2617.
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.