httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Re: navigator charset bug
Date Wed, 22 Mar 2000 00:46:45 GMT
On Mon, 20 Mar 2000, Marc Slemko wrote:

> The only problem is that there is no clear replacement method (even one
> that just isn't yet widely deployed) for the sort of authentication that
> many web sites want to do.  I guess client certificates are the closest
> thing, but they are far too heavyweight to use and have their own issues.

ignoring man-in-the-middle attacks (use ssl, even in plain-text mode if
worried of those) then the client/server can generate a session key and do
one-time password stuff... just borrow from kerberos.  requires client
clock to be set correctly :)

you can get rid of most of the trouble just assuming javascript and cookie
support on the client -- server responds with a new seed to each request
from the client, client javascript hashes the seed and the url its
requesting when sending next requests.  each cookie can be used only once
-- so an attacker has to use snooped cookies immediately before the user
does anything else with the same server.

or something like that, i haven't given it a lot of thought.  but given
that javascript is the main cause of this problem, you might as well
assume it in developing a solution.


View raw message