RFC: allowing HTTP push on a shared host

Alexis S.L.Carvalho alexis at cecm.usp.br
Thu Nov 23 14:04:17 CST 2006


Thus spake Gé Weijers:
> On Nov 22, 2006, at 3:34 PM, Alexis S. L. Carvalho wrote:
> >Well, if you can't use SSL, the passwords will have to be sent in  
> >clear
> >text...
> 
> Would it not be possible to use digest authentication? SSL is  
> obviously the better solution (you get server authentication, 

(right now you don't get server authentication because the python API
doesn't expose enough details for that)

>                                                               client  
> anonymity and a fully encrypted session), but digest authentication  
> is better than clear text passwords, and it may be sufficient in many  
> environments (e.g. to keep sniffers on the intranet from obtaining  
> your password without a dictionary attack).
> 
> It's fairly easy to implement digest authentication, I've done it  
> before.

Ah, yeah, I forgot about digest authentication.  Yes, that works, too.

Alexis


More information about the Mercurial mailing list