httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sébastien Bonnegent <sbonneg...@mediapps.com>
Subject Re: Share data between servers
Date Mon, 12 Aug 2002 15:41:23 GMT
Cliff Woolley wrote:
CW> On Mon, 12 Aug 2002, Sbastien Bonnegent wrote:
CW> 
CW> > A client connect to "www.example1.com", and provide an authentification.
CW> > Later, the same client connect to "www.example2.com" without give again
CW> > an authentification.
CW> 
CW> How is that not a security problem?
CW> 
CW> Let's say we then have www.example3.attacker.com who provides the same
CW> Realm to the proxy.  The proxy hands over the user's password to the
CW> attacker without the client even knowing anything happened.

In fact, my first schema was incomplete, whereis a firewall between
the client and the proxy. In addition, the proxy only serves a delimited number
of websites which are known in advance. It is the proxy that check if the
user is already known or not.

Obviously, hijacking and ip-spoofing must have special attention
in this system (maybe with a special nonce or something like that).

Regards,
seß - sinad
-- 
GPG uid: 0xCB92591D  ICQ: 60143970
LINUX - because life is too short to reboot !
-- Fortune:
There will be big changes for you but you will be happy.
Mime
View raw message