Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, Digest is safe in this case, but one could write a more advanced (packet-injecting) tool/Firefox extension that breaks Digest too.

Terribly bad UI and lack of standard way to log out are dealbreakers for HTTP auth.

There's also no reliable way to customize UI to offer help, password reminders, branding or anything like that.

There has been proposal to improve this in 1999:

http://www.w3.org/TR/NOTE-authentform

and recently discussed in HTML5 WG, but the conclusion was Digest and countless JS tricks proposed in its place are only partial solutions, cookies have unstoppable momentum, so it's better if everyone just switches to SSL.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: