At 12:04 PM +0000 12/31/10, Nathan Rixham wrote:
Tamara Temple wrote:
Sorry, I was mislead by your use of the phrase "Users should not be
copy-pasting passwords or usernames" above. I'd love to hear what
you think is an alternative to identifying with web app that keeps
track of information about someone that is more secure.
client side ssl certificates, they force http+tls (thus encryption
over the wire and no chance of middleman attacks) and no usernames
or passwords need to be passed, as you identify people by the public
key held in their certificate, the TLS process ensures they have the
private key.
Nat:
I was wondering when you would chime-in.
The certificate example you provided me a few months ago was
exceptional. I now believe that server-side data can be kept
reasonably secure regardless of successful attacks on the server.
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php