httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucid <>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 21:14:51 GMT
> > > Cookies!
> > > 
> > > After the first connection, the user id can be put into a cookie so that
> > > a challenge is immediately possible thereafter.
> > 
> > No.  If you're using something like s/key to protect something, the last
> > thing you want to use after that is cookies.  It's sorta like putting a
> > piece of duct tape over the door of an unlocked safe.  
> Only the user-id is in the cookie. That's safe. New one-time-passwords
> are sent when they are asked for.. those are useless unless you can
> intercept the request and bounce it away from the server that asked for
> it. No smoke, mirrors or duct tape.

no the problem is the challenge-responce sequence needs the userid before
it can issue the challenge.

The cookie thing wont work because if you are voulnerable to source
routing you are skrewed, because someone can route packets to themselves
and make it look like they are going to you.
I know this is paranoid but so are Some CERT advisiories.

the new one-time passwords can be generated automagickly (without someone
typing them) thats what S/Key does...


View raw message