Security Considerations
- The user credentials are conveyed in the clear to the web site, unless steps such as employment of Transport Layer Security (TLS) are taken.
- The technique is essentially ad-hoc in that effectively none of the interactions between the user agent and the web server, other than HTTP and HTML themselves, are standardized. The actual authentication mechanism employed by the website is, by default, unknown to the user and the user agent. The form itself, including the number of editable fields, and desired content thereof, are entirely implementation- and deployment-dependent.
- This technique is inherently phishable, or vulnerable to criminals masquerading as a trusted party in the authentication process.
Read more about this topic: HTTP+HTML Form-based Authentication
Famous quotes containing the word security:
“When kindness has left people, even for a few moments, we become afraid of them as if their reason had left them. When it has left a place where we have always found it, it is like shipwreck; we drop from security into something malevolent and bottomless.”
—Willa Cather (1876–1947)