httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Digest authentication q...
Date Sun, 11 Jun 1995 18:51:41 GMT
   Date: Fri, 9 Jun 1995 18:31:19 -0700
   From: Rob McCool <robm@netscape.com>

   We were ready to place digest auth in our 1.1 clients and servers
   until we found that out... as far as we could surmise there was no way
   to avoid having enough information in the clear on the server machine
   for a person to create repeat attacks.

Hmmm... it doesn't work store the digests of the (user:realm:password)
triples encrypted?  They'd still need to be in the clear in the memory
of the server processes themselves at some point, but if that's
compromised, you're pretty much hosed anyway.

(Of course, this does create the problem of where to put the server
key --- if it's on the disks, then the rest of it might as well be
cleartext.  But I was somehow under the impression that users of at
least the secure Netscape servers had this problem anyway, at least to
judge by the comments I remember seeing in the server forum...).

rst



Mime
View raw message