httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 15:20:23 GMT
> no the problem is the challenge-responce sequence needs the userid before
> it can issue the challenge.

yup. and it can be in the cookie thus saving a round trip.

> The cookie thing wont work because if you are voulnerable to source
> routing you are skrewed, because someone can route packets to themselves
> and make it look like they are going to you.

As Brian would say, I can't parse this.

Using a cookie to hold the user-id doesn't make it any more insecure,
if there are ways for someone to intercpt packets then they can just as
easily intercept a non-cookie user-id being sent to the server, and even if
they have the user-id and challenge they can't do anything without the
secret password or an unused but valid one-time password. The cookie doesn't
expose either; all it holds is the user-id which can be (and often is 
for telnet skey users) common knowledge.

Now if sending one-time passwords isn't safe, the whole skey thing is
useless, but it seems to be widely used for remote login over the net.


View raw message