Diff for /bookie/www/setup.html between versions 1.9 and 1.10

version 1.9, 2002/05/16 04:29:59 version 1.10, 2002/05/16 17:28:04
Line 80  server's main class is <code>com.tersesy Line 80  server's main class is <code>com.tersesy
   performance seems okay for now (and if anything seems bound on the XML     performance seems okay for now (and if anything seems bound on the XML 
   processing and IO overhead).  Database operations are not transactional.    processing and IO overhead).  Database operations are not transactional.
 </p>  </p>
   
   <p>
     The server uses an MD5 hashed password for authentication of the client.
     Once authenticated, the server maintains a session based off the IP address
     of the client.  All data is sent in the clear, and as such the passwords and
     XML-RPC information may be 
     <a href="http://www.robertgraham.com/pubs/sniffing-faq.html">packet sniffed</a>. 
     Even if the attacker does not know
     the clear-text password, he can still send the MD5 hash to be authenticated as
     the user.  Unfortunately, XML-RPC does not cover 
     <a href="http://www.strongsec.com/tutorials/security.htm">security</a> and session management
     very well; if there are any new RFCs I would love to hear about them.  One
     possible RFC is <a href="http://jimfl.tensegrity.net">Jim Flanagan's</a> 
     <a href="http://jimfl.tensegrity.net/xmlrpc/">proposal</a>, but this requires
     the use of <a href="http://www.ietf.org/rfc/rfc2617.txt">HTTP digest 
     authentication</a>, which I believe most clients don't
     support.
   </p>

Removed from v.1.9  
changed lines
  Added in v.1.10


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>