On Dec 25, 2007, at 8:44 AM, Juan Manuel Palacios wrote:
On Dec 25, 2007, at 8:51 AM, js wrote:
Forwarding to macports developers.
---------- Forwarded message ---------- From: js <ebgssth@gmail.com> Date: Dec 25, 2007 12:19 AM Subject: macforge.org via https? To: MacPorts Users <macports-users@lists.macosforge.org>
Hi list,
A simple question.
is there any reason http://www.macosforge.org/wp-login.php is not HTTPS?
Because we use http digest for authentication, not SSL.
But HTTP digest doesn't solve any of the problems that SSL solves: - It is still vulnerable to a MITM attack. Your password is hashed, but the hash is password-equivalent -- an attacker can simply forward it on. - Digest authentication is indistinguishable from Basic authentication -- your browser will display the same dialog regardless of the authentication type. At best, it will prevent a passive attacker from acquiring your password. Anyone engaging in an active MITM attack will have no difficultly acquiring your password. -landonf