hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "F Carlsen (JIRA)" <j...@apache.org>
Subject [jira] Created: (HTTPCLIENT-1053) Security issue - DigestScheme uses constant nonce count value
Date Sun, 06 Feb 2011 08:31:30 GMT
Security issue - DigestScheme uses constant nonce count value

                 Key: HTTPCLIENT-1053
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1053
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpAuth, HttpClient
    Affects Versions: 4.1 Final, 3.1 Final, 4.2 Final
         Environment: All configurations using HTTP Digest Scheme for authentication
            Reporter: F Carlsen

The nonce count value in DigestScheme is static (set to 00000001) and never changes.  (also
seen as comment in said file).

This means that it fails against servers that correctly detect man-in-the-middle or replay
attacks, leading to additional 401 requests (every second time), or such servers must be configured
to turn such checks off (which is either poor security or poor for performance).

I suggest that at minimum, this count is incremented for every call to DigestScheme#createDigest.
 It should also be an instance variable instead of a static, as it really relates to the challenge
(assuming cases where instances are cached for reuse).  AtomicInteger is a good choice for
implementing this counter.

See RFC 2617 chapters 3.2.2 and 3.2.3

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message