Security


Security
********

   There are an increasing number of ways to authenticate a user to a
web service.  Emacs/W3 tries to support as many as possible.  Emacs/W3
currently supports:

Basic Authentication
     The weakest authentication available, not recommended if serious
     security is necessary.  This is simply a string that looks like
     `user:password' that has been Base64 encoded, as defined in RFC
     1421.

Digest Authentication
     Jeffery L. Hostetler, John Franks, Philip Hallam-Baker, Ari
     Luotonen, Eric W. Sink, and Lawrence C. Stewart have an internet
     draft for a new authentication mechanism.  For the complete
     specification, please see draft-ietf-http-digest-aa-01.txt in the
     nearest internet drafts archive(1).

SSL Encryption
     SSL is the `Secure Sockets Layer' interface developed by Netscape
     Communications (2).  Emacs/W3 supports HTTP transfers over an SSL
     encrypted channel, if the appropriate files have been
     installed.See Installing SSL

Privacy
=======

   Sometimes you don't want people to know who you are, or where you've
been.  HTTP is quite happy to tell everyone it meets who you are and
where you've come from.  `url-privacy-level' can be used to set how
much information is given, it can be a list of the following symbols

`email'
     Do not send email address.  This just sets
     `url-personal-mail-address' to `nil'.

`os'
     Do not send operating system

`lastloc'
     Do not send the last location

`agent'
     Do not send the User-Agent string (for an alternative approach,
     see Masquerading.).

`cookie'
     Never accept cookies (see Cookies.)

   Alternatively `url-privacy-level' can be a single symbol,
`none'
     Send all information.

`low'
     Don't send the last location.  Equivalent to `(lastloc)'

`high'
     Don't send the email address or last location.  Equivalent to
     `(email lastloc)'

`paranoid'
     Don't send anything.  Equivalent to `(email os lastloc agent
     cookie)'

   If you change `url-privacy-level' then you should also call
`url-setup-privacy-info' to make sure that the changes propogate.

   ---------- Footnotes ----------

   (1) One is ftp://ds.internic.net/internet-drafts

   (2) http://www.netscape.com/