[Seaside] Seaside Performance

Daniel Salama dsalama at user.net
Sat Mar 26 17:50:32 CET 2005 

Avi,

As Brian Brown wrote, you are not missing anything. It was my 
misunderstanding from something I had read a long time ago. From the 
Apache web site, it reads:

--------------
  Security caveat

Basic authentication should not be considered secure for any  
particularly rigorous definition of secure.

Although the password is stored on the server in encrypted  format, it 
is passed from the client to the server in plain  text across the 
network. Anyone listening with any variety of packet sniffer will be 
able to read the username and password  in the clear as it goes across.

Not only that, but remember that the username and password  are passed 
with every request, not just when the user first  types them in. So the 
packet sniffer need not be listening at a  particularly strategic time, 
but just for long enough to see  any single request come across the 
wire.

And, in addition to that, the content itself is also going  across the 
network in the clear, and so if the web site  contains sensitive 
information, the same packet sniffer would  have access to that 
information as it went past, even if the  username and password were 
not used to gain direct access to  the web site.

Don't use basic authentication for anything that requires  real 
security. It is a detriment for most users, since very few  people will 
take the trouble, or have the necessary software and/or equipment, to 
find out passwords. However, if someone  had a desire to get in, it 
would take very little for them to  do so.

Basic authentication across an SSL connection, however, will be  
secure, since everything is going to be encrypted, including the  
username and password.
--------------

The last sentence is the one that clarifies the issue with SSL.

Thanks,
Daniel

On Mar 26, 2005, at 4:49 AM, Avi Bryant wrote:

> On Sat, 26 Mar 2005 00:44:03 -0500, Daniel Salama <dsalama at user.net> 
> wrote:
>> Hi,
>>
>> I was testing some file I/O reading when I noticed something peculiar.
>> I posted the following on the Squeak mailing list
>> (http://lists.squeakfoundation.org/pipermail/squeak-dev/2005-March/
>> 090187.html). Because of this finding, I am wondering how well will a
>> Squeak box perform in a production environment.
>
> Daniel,
>
> Don't jump to conclusions.  Transcript>>show: is about the slowest
> thing you could possibly be doing to show progress; comment it out and
> your code will run several orders of magnitude faster.
>
> Avi
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/listinfo/seaside
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2873 bytes
Desc: not available
Url : http://lists.squeakfoundation.org/pipermail/seaside/attachments/20050326/a8534fe9/attachment.bin

More information about the Seaside mailing list