httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert S. Thau" <...@Etna.ai.mit.edu>
Subject Re: PUT authoring
Date Mon, 17 Jun 1996 22:00:19 GMT
  The advantage of an skey approach is that it doesn't need to be an
  encrypted session to transfer the password. Any other password protected
  PUT is going to be vulnerable to a password sniffer unless you use SSL
  or whatever.

But like I said the last time, this applies to use of S/Key for
authenticating *anything* --- and since it only addresses
authentication, it does nothing about the security problems which are
inherent to PUTs in particular (which, recall, have nothing to do with
authentication whatsoever and don't go away even if you allow
completely anonymous PUTs and just don't give a damn who the clients
are).

In fact, the nastiest issues don't even involve the web server itself
at all.  They have to do with attacks on a back-end PUT-handler by
psople with accounts *on the system*, who aren't using the web server
at all; obviously, HTTP authentication can't make a difference to
these, since the attacker is invoking the back-end script directly,
and the server is out of the picture entirely.

If you want to write an S/Key auth module, don't take this as
discouragement; it might very well be an excellent thing to have.  But
for heaven's sake don't limit it to PUTs (there's no reason to), and
don't think it solves the problems I was discussing last week (which
is a different set of issues entirely).

rst

Mime
View raw message