[Seaside] Seaside Performance
Daniel Salama
dsalama at user.net
Sat Mar 26 17:50:32 CET 2005
Avi,
As Brian Brown wrote, you are not missing anything. It was my
misunderstanding from something I had read a long time ago. From the
Apache web site, it reads:
--------------
Security caveat
Basic authentication should not be considered secure for any
particularly rigorous definition of secure.
Although the password is stored on the server in encrypted format, it
is passed from the client to the server in plain text across the
network. Anyone listening with any variety of packet sniffer will be
able to read the username and password in the clear as it goes across.
Not only that, but remember that the username and password are passed
with every request, not just when the user first types them in. So the
packet sniffer need not be listening at a particularly strategic time,
but just for long enough to see any single request come across the
wire.
And, in addition to that, the content itself is also going across the
network in the clear, and so if the web site contains sensitive
information, the same packet sniffer would have access to that
information as it went past, even if the username and password were
not used to gain direct access to the web site.
Don't use basic authentication for anything that requires real
security. It is a detriment for most users, since very few people will
take the trouble, or have the necessary software and/or equipment, to
find out passwords. However, if someone had a desire to get in, it
would take very little for them to do so.
Basic authentication across an SSL connection, however, will be
secure, since everything is going to be encrypted, including the
username and password.
--------------
The last sentence is the one that clarifies the issue with SSL.
Thanks,
Daniel
On Mar 26, 2005, at 4:49 AM, Avi Bryant wrote:
> On Sat, 26 Mar 2005 00:44:03 -0500, Daniel Salama <dsalama at user.net>
> wrote:
>> Hi,
>>
>> I was testing some file I/O reading when I noticed something peculiar.
>> I posted the following on the Squeak mailing list
>> (http://lists.squeakfoundation.org/pipermail/squeak-dev/2005-March/
>> 090187.html). Because of this finding, I am wondering how well will a
>> Squeak box perform in a production environment.
>
> Daniel,
>
> Don't jump to conclusions. Transcript>>show: is about the slowest
> thing you could possibly be doing to show progress; comment it out and
> your code will run several orders of magnitude faster.
>
> Avi
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/listinfo/seaside
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2873 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20050326/a8534fe9/attachment.bin
More information about the Seaside
mailing list