|
|
|
|
|
|
by brians
3263 days ago
|
|
|
It's fragile: leaks the password when TLS is having a bad day, when the server's compromised—say, on more than 1% of days in the last five years. It's fragile to request smuggling attacks too, because the password is not entangled with the request, just next to it. We have lots of mechanisms that do better than both of those: client certs beat the first, and HMAC of the request and key headers with a secret beat both. |
|
|