To be fair, HTTPS actually features
HTTPS takes care of
communication
con?¬?dentiality but
does not provide a
general means of
sending identity
information
The Babel of Cryptography 53
mutual authentication. We will see in the section ???The Babel???
why it is safe to ignore it for the time being.
HTTP supplies the verbs for sending data from the browser to the
server; HTTPS provides an opaque pipe through which packets
can be sent protected from eavesdroppers. We can certainly use
those tools for sending credentials in a secure way, but we have
no indications whatsoever of the nature of those credentials or
how they should be packaged. The result is fairly predictable.
Secure credential transmission is widely implemented, but pretty
much everybody does something different.
Because authentication is not of?¬?cially part of the protocol, it
becomes a responsibility of the application developer. When
you write a website, you have to explicitly create a page with a
user interface for gathering credentials; you have to write the
code for securing credential transmission; ?¬?nally, it is still you
who has to write logic for reading the credentials just received
in some structure in memory for being able to take authentication
decisions.
Pages:
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109