httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: Security hole in mod_digest.c?
Date Mon, 26 Aug 1996 11:36:01 GMT
On Mon, 26 Aug 1996, Ben Laurie wrote:

> Random numbers will do - after all, everyone gives away the assembler. The

It's easier to read C than assembler. Trust me on that :)

> point about piling all that stuff into the nonce is in case someone finds a
> way to factor small changes out of MD5, not because it is actually currently
> needed.

Well, my point is that if I use a "secret" method, I can detect easily if
someone's trying to fool me. A public method makes that harder.

> However, having to store it to check it would be a problem. It did occur to me
> that limited security could be had by simply checking the age of the nonce.

Yeah. As I said, I was going to rewrite mod_digest (and clean up that
horrid Authorization-line parsing mess), and bring it up to spec (I mean,
it is, but only barely), but then I realized there are no browsers out
there (hardly) that support it, so I decided it wasn't worth the effort.

MSIE 2.1b1 for the Mac, BTW, is real fun with digest auth... while you
type in your password, it show it to you, in the clear, in the "Realm:"
field. Microsoft Quality Software.

-- Alexei Kosut <>            The Apache HTTP Server

View raw message