Comments by "Christian Baune" (@programaths) on "Rust vs Go : Hands On Comparison" video.

  1. 47:18 A decade ago, we needed some authentication. I wanted something more serious than BasicAuth over TLS, so I implemented WSSE. 100% of implementors were confused because they didn't understand how the website could verify the password was valid if they sent a hash. On top of it, the documentation stated that the password had to be based twice. So, you had to ask for the salt for a specific username (the website would return a hash even for nonexisting users). Then you had to hash your password a first time with the provided salt, then a second time with a timestamp and nonce you created. If you used twice the same nonce in the same interval (5 minutes), the website would reject the authentication. When I left, the company abandoned it to use BasicAuth because it was too complicated for implementors. Another huge point of confusion was why Basic Auth was wrong, even with HTTPS. People couldn't understand that HTTPS is not enough. So, I referred to an article from Microsoft about naked bikers ^^ Yet, people still had trouble wrapping their heads around. But I was persistent, and that's why we did WSSE. The big downside was that I was the only one to know why it was done that way, even if I tried to educate my peers. It was already too complex. It's not. Check "hmac," and you will see it's straightforward. It's just that, at the time, people were not used to that kind of security, and there were no plug-and-play libraries.
    3