Re: [hackers] [quark] Thoughts on CGI and authentication?

From: Laslo Hunhold <dev_AT_frign.de>
Date: Fri, 23 Oct 2020 13:55:28 +0200

On Thu, 22 Oct 2020 22:07:37 +0200
José Miguel Sánchez García <soy.jmi2k_AT_gmail.com> wrote:

Dear José,

> I had HTTP basic and digest auth in mind. They both can be implemented
> pretty easily without adding external dependencies and with a
> reasonable amount of code. Everything more advanced is straight out of
> scope for quark.
> Thanks for suggesting basic! I wasn't sure about it, as it's pretty
> insecure nowadays. But I acknowledge that, for quark's use cases, it
> is perfectly reasonable.

I agree with Hiltjo that Basic-authentication is the way to go. The
reason is that without TLS, you can, as an evildoer, do whatever you
want with a connection, and trying to "fix" it in a half-assed way
doesn't work.

The only way to fix it is using TLS, encapsulating the entire stream.
Encryption, tamper-proofing, etc. are then handled by it one layer
above in a much better way than all these pseudo-secure more complex
authentication methods.

With best regards

Laslo
Received on Fri Oct 23 2020 - 13:55:28 CEST