httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die." <>
Subject RE: [STATUS] (apache-1.3) Wed Aug 4 23:45:08 EDT 1999
Date Sun, 08 Aug 1999 20:52:12 GMT

Randy Terbush wrote:
> It is safe to say that people will get confused no matter what we do.

Hmm, assuming the new mod_digest compiles and runs cleanly everywhere,
then the only non-confusing option would be to:
 1. remove the truerand depedency, and instead use a very weak
    random number such as the current time. This will make various
    attacks much easier because the server nonce can then be guessed,
    but it'll still be better than Basic auth (i.e. the password is not
    sent in the clear, and replay attacks are still hard).

 2. replace the current mod_digest with the new one.

But we are trying to avoid 2. because the assumption may not hold.

> I think the safe thing to do at this stage is to make the new version
> available in experimental and worry about what we do with this in 2.0.

I think I agree.

> > If it's really true that the current mod_digest is
> > incompatible with all the well-known browsers,

Just for clarification: there seem to be only two browsers currently
who understand Digest, IE5.0 and Amaya. There are a few libraries
out there (libwww, which Amaya uses, the perl libwww, my own Java
client) which also support it, but I don't think those are a worry.
IE5.0 supposedly does not like the old (rfc-2069) style as implemented
in the current mod_digest (they should be able to handle it, but for
security reasons they have the right to refuse to). Amaya will talk
to the current mod_digest, however.



View raw message